su_exe feature

[Edgars]

Hi

I see that Ansible has sudo_exe feature for alternative sudo implementations. Would it be possible to implement also su_exe for alternative su implementations? In particular I am interested in CA AccessControl sesu utility: https://support.ca.com/cadocs/0/CA%20Access%20Control%2012%205%205-ENU/Bookshelf_Files/HTML/1358981.html

Thanks

Edgars

[Michael DeHaan]

I think so.  (Would be open to contributions, but we could also do it ourself if needed).

Is it mostly flag compatible?

The one thing I want to fix with sudo_exe is it should be settable per inventory host, so we'll probably do that at the same time too, and leave the ansible.cfg setting for a default.

--Michael

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/0a324e10-4e7c-4454-83fa-ac5d8ef88351%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Edgars]

Well, sesu supports "-" flag and "-c" flag just like su. Those two are most important I guess. The main difference is that su requires root password when you switch to root while sesu requires user password, just like sudo. But I don't think that this should be problem.

Edgars

[Michael DeHaan]

excellent!

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/61716da9-5456-4cd7-b01b-bd7145551b4c%40googlegroups.com.

[damase...@gmail.com]

Was there any update on adding ability to use sesu? Note that in our case sesu does NOT prompt for the 'to become' user. Here is how we use it:

1) login under my personal user id
2) run "sesu - <to_become_user_id>"
3) ... it will NOT ask for any password and will directly log me under the to_become_user_id

FYI here is the the output of sesu --help:

CA ControlMinder sesu v12.80.0.1494 - Surrogate utility
Copyright (c) 2013 CA. All rights reserved.

Usage: `sesu [-] [name] [-l] [-n] [-s shell] [-c command]`
        -h              Displays this help and exits.
        <name>          Changes ID associated with session to that of
                         <name> user.
        - <name>        Same but sets environment like the target user.
        -l              shell will be a login shell. This option is currently supported only on Linux
        -s              Next argument is a shell that will be used instead of the user's default shell. This option is currently supported only on Linux
        -c              Next argument is a command.
        -n              Do not prompt for invoker password.
 NOTE: If the security authorization server is not found, system
 /bin/su will be used instead.

and here is a bit of more info from man page:

NAME
       sesu - Surrogate utility

SYNOPSIS
       sesu [ - ] [ options ] [ name ]

DESCRIPTION
       The  sesu  utility provides a transparent su command that does not require the user
       to provide the password of the substituted user. The authorization process is based
       solely on AccessControl access rules as defined in class SURROGATE.

... hope that helps a bit :)

[Brian Coca]

try setting ansible_su_exe in the inventory



--
Brian Coca

[damase...@gmail.com]

Thanks Brian - I didn't know that's possible (it is not documented in the default config file) - yes, that actually gets me much closer - THANK YOU :-)

However I am now getting another error since ansible does not seem to be able to ignore the standard 'login information messages' during the su / sesu login process...

Here is what I did:

Edit /etc/ansible/ansible.cfg:

su_exe = /usr/seos/bin/sesu
su_flags = -

the '-' flag will make sure that I also set the users' environment - which ultimately triggers the standard welcome login messages etc.

so then when I run this

ansible prime -i inv_file -m ping -u my_real_user -S -R user_to_sesu -k

I get:

servername.com | FAILED => failed to parse:                                                                        
*****************************************************************************
* blahblahblah....                                                          *
*****************************************************************************

Last login time was Aug 31 08:14 !!!
Good Morning my_real_user

Setting up the user_to_sesu environment...

SUDO-SUCCESS-kfpcgrtikenauccyjbtyasaltqglfhzx
{"changed": false, "ping": "pong"}
logout

When I remove the 'su_flags' from the config it all works (because it does not really run the login scripts to set the environment etc. But I really need to use the 'sesu -' since I need to have the environment setup for the command execution...

Is there any way to make things working so that it ignores the all welcome login messages during the 'sesu - <user>' operation?

[smkr]

On 08/31/2015 06:41 AM, damase...@gmail.com wrote:
> Thanks Brian - I didn't know that's possible (it is not documented in the
> default config file)

You are right on that one, however the documentation does hint to constants.py
in the repo so with that handy:

~/work/ansible/ansible-project $ fgrep -r "su_exe" .
./test/units/playbook/test_play_context.py: su_exe = C.DEFAULT_SU_EXE
./test/units/playbook/test_play_context.py: self.assertEqual(cmd, """%s -c '%s %s -c "%s -c '"'"'echo %s; %s'"'"'"'""" % (default_exe, su_exe, play_context.become_user, default_exe, play_context.success_key, default_cmd))
./lib/ansible/constants.py:DEFAULT_SU_EXE = get_config(p, DEFAULTS, 'su_exe', 'ANSIBLE_SU_EXE', 'su')
./lib/ansible/playbook/play_context.py: su_exe = ('ansible_su_exe',),
./lib/ansible/playbook/play_context.py: _su_exe = FieldAttribute(isa='string')
./lib/ansible/playbook/play_context.py: exe = self.become_exe or self.su_exe or 'su'

;)

--
Steve

[Brian Coca]

ansible avoids doing full logins on purpose to avoid things like that,
so adding - to the options will break.



--
Brian Coca

[damase...@gmail.com]

Steve,
yup, I found that later on as well - was not used to read source code to get 'documentation' - but am learning :-)

Brian,
ok, so what is the solution?

I need to run 'sesu -' otherwise the commands will not be executed properly since they require the environment to be setup as per the target user...

[Edgars]

This works for me:

in ansible.cfg

[defaults]
ask_pass = True
su_exe = /opt/CA/AccessControl/bin/sesu
su_flags = -
executable = /bin/bash

[privilege_escalation]
become = True
become_ask_pass = True
become_user = root
become_method = su

In su_prompts.py add new prompt:

SU_PROMPT_LOCALIZATIONS = [
    'Please enter your password',
...

If you don't have sesu password, then perhaps you don't need to add prompt and also set become_ask_pass = False

Hope it helps

Edgars

[damase...@gmail.com]

hi Edgars,

thx for sharing - I guess the key issue I have now really is that ansible is not able to ignore the 'login messages' - they seem to be ignored by the 'remote user' (ansible '-u' parameter) but ansible is not able to ignore them when doing su (resp. sesu)... Which of the above you think would specifically address this?

Martin

[Edgars]

Martin

Can you give example of 'login messages'. Is it some banner or MotD? We also have multi-line banner when users ssh in and ansible works just fine. We just had a problem with su prompt and had to add sesu prompt in su_prompts.py

Edgars

pirmdiena, 2014. gada 8. septembris 14:53:46 UTC+2, Edgars rakstīja:

[damase...@gmail.com]

Hi Edgars,

apologize for slow response - sure - you can actually see it in my post from Aug 31st. But here it is again:

*****************************************************************************
* blahblahblah....                                                          *
*****************************************************************************
Last login time was Aug 31 08:14 !!!
Good Morning my_real_user

Setting up the user_to_sesu environment...

You can also see above the exactly output from ansible when I run the ping using sesu...

Indeed, I also have no problem when I run it directly - ansible is able to handle it. But when I do do sudo (resp. sesu) the login messages are apparently fed into ansible and it tries to parse them. Any idea how to overcome this?