Can't Use Standard become_method As Have To Use rootsh. Options?

[Colin Anderson]

Hi,

The central IT function at my company allows developers root access to a server for a short period of time to allow us to install any required middelware and application software when we are commissioning a server. I've been looking at using Ansible to automate this process to prevent user errors and make the process more efficient. The problem that I've run into is that they only allow root access using the following sudo call:

sudo rootsh -i -u root

This uses a logging shell wrapper, rootsh (man page), to log all terminal input and output for audit purposes. We can't change this and it means we can't use any of the standard become_methods that Ansible uses.

Is there any way of adding a become_method to Ansible that would call the above command instead of just sudo? Alternatively, is there anyway of getting Ansible to run rootsh when it requests elevated privileges?

I did try the following in the vain hope that it might work, but as I feared, it failed:

site.yml:

---
  - hosts: vagrant-servers
    become: yes
    become_user: root
    become_method: sudo rootsh -i -u root

    roles:
      - ansible-oracle-java-master

Play output:

vagrant@ansible-master:~$ ansible-playbook -i hosts site.yml

PLAY ***************************************************************************

TASK [setup] *******************************************************************
fatal: [10.10.1.4]: FAILED! => {"failed": true, "msg": "ERROR! Privilege escalation method not found: sudo rootsh -i -u root"}
fatal: [10.10.1.5]: FAILED! => {"failed": true, "msg": "ERROR! Privilege escalation method not found: sudo rootsh -i -u root"}
fatal: [10.10.1.6]: FAILED! => {"failed": true, "msg": "ERROR! Privilege escalation method not found: sudo rootsh -i -u root"}
fatal: [10.10.1.3]: FAILED! => {"failed": true, "msg": "ERROR! Privilege escalation method not found: sudo rootsh -i -u root"}

NO MORE HOSTS LEFT *************************************************************

PLAY RECAP *********************************************************************
10.10.1.3                  : ok=0    changed=0    unreachable=0    failed=1
10.10.1.4                  : ok=0    changed=0    unreachable=0    failed=1
10.10.1.5                  : ok=0    changed=0    unreachable=0    failed=1
10.10.1.6                  : ok=0    changed=0    unreachable=0    failed=1

vagrant@ansible-master:~$

Thanks,
Colin.

[Brian Coca]

you can try setting the sudo exe to 'sudo rootsh' and add -i as a sudo flag (though ansible tries to avoid login shells for good reasons).

​Another option would be to set rootsh as the only available shell, then setting the executable​ setting to rootsh should also work.

----------

Brian Coca

[Cristian Bratu]

Hey Colin,

Have you had any luck with this? I'm running into some very similar issues. 

Thanks!

[Holger Foerster]

here my solution:

ansible_host:
egrep "^sudo_exe|^sudo_flags" /etc/ansible/ansible.cfg
sudo_exe = /tmp/ansible_wrapper
sudo_flags =

target_host:
cat /tmp/ansible_wrapper
shift
shift
sudo /usr/bin/rootsh -u root -- $@

playbook to create ansible_wrapper:
---
- hosts: target_host
  gather_facts: False
  become: no

  tasks:
  - name: create ansible_wrapper file ...
    copy: dest="/tmp/ansible_wrapper" content="shift\nshift\nsudo /usr/bin/rootsh -u root -- $@\n\n" force=no

  - name: modify ansible_wrapper file ...
    file: path="/tmp/ansible_wrapper" mode="777"

- using of the wrapper:
ansible target_host -a "id -a" -b --become-method=sudo
target_host | SUCCESS | rc=0 >>
uid=0(root) gid=0(root) groups=0(root)

[Nirjas Jakilim]

Hi, I have used the wrapper method. but it's giving me the privilege escalation time out error.
Ansible Timeout (12s) waiting for privilege escalation prompt
Can you please tell me what you have used on the playbook after setting the wrapper? Thanks.