Making use of Ansible Privilege Escalation
1,010 views
Skip to first unread message
Aneesh Joseph
May 28, 2015, 8:04:42 AM5/28/15
to ansible...@googlegroups.com
I'm trying to find the equivalent of
ansible dev -a "/opt/pb/bin/pbrun su tomcat -c echo hi" -u aneesh
(this works)
I tried with
ansible dev -a "echo hi" -u aneesh --become-user=tomcat--become-method=pbrun -b
but it gave me the response
"failed": true,
"msg": "/bin/sh: pbrun: command not found\r\nOpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug1: mux_client_request_session: master session id:................
so I moved pbrun on the dev host to /bin/pbrun
and now it shows the error
"failed": true,
"msg": "usage: pbrun [-D level] -h | -K | -k | -V\r\nusage: pbrun -v [-AknS] [-D level] [-g groupname|#gid] [-p prompt] [-u user\r\n name|#uid]\r\nusage: pbrun -l[l] [-AknS] [-D level] [-g groupname|#gid] [-p prompt] [-U user\r\n name] [-u user name|#uid] [-g groupname|#gid] [command]\r\n.......
Any idea how I can get this working?
basically this is what I'm trying to do :
ansible@ansible>ssh aneesh@dev
aneesh@dev. pbrun su tomcat
tomcat@dev> echo hiThanks,
Aneesh
Brian Coca
May 28, 2015, 8:27:55 AM5/28/15
to ansible...@googlegroups.com
ansible cannot chain privilege escalation methods, it can either use
pbrun or su, but not both. pbrun should be able to allow you to
execute all commands as a user w/o needing su.
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/fd5bd3d8-a734-41e1-8345-bec23c94a0e7%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Brian Coca
pbrun or su, but not both. pbrun should be able to allow you to
execute all commands as a user w/o needing su.
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/fd5bd3d8-a734-41e1-8345-bec23c94a0e7%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Brian Coca
Aneesh Joseph
Jun 3, 2015, 10:27:13 PM6/3/15
to ansible...@googlegroups.com
Thanks Brian :)
I do have access to execute certain sudo commands without chaining privilege escalation methods.
sudo -l
gives me a list of what I can execute.
But Ansible seems to be executing something other than this. For example I get the below error while running a playbook which has 'sudo: yes' set
and it fails with the below error
PLAY [ui] *********************************************************************
GATHERING FACTS ***************************************************************
fatal: [myhost] => Missing become password
Is there a way to find out what sudo command is being executed in the background?
Thanks,
Aneesh
Brian Coca
Jun 3, 2015, 10:52:49 PM6/3/15
to ansible...@googlegroups.com
use -vvvv to show the exact things being run, the message you are
seeing implies you need to provide a sudo password
> https://groups.google.com/d/msgid/ansible-project/651e7878-a39c-4ab9-8331-32357bfce819%40googlegroups.com.
seeing implies you need to provide a sudo password
Aneesh Joseph
Jun 4, 2015, 1:02:16 AM6/4/15
to ansible...@googlegroups.com
Thanks for the very quick response Brian.
I see that it's trying to execute
sudo -k && sudo -H -S -p "[sudo via ansible, key=abcdefghijk] password: " -u root /bin/sh -c '"'"'echo BECOME-SUCCESS-abcdefghijk; LANG=C LC_CTYPE=C /usr/bin/python /home/aneesh/.ansible/tmp/ansible-tmp-1433392081.2-227386081264121/setup; rm -rf /home/aneesh/.ansible/tmp/ansible-tmp-1433392081.2-227386081264121/ >/dev/null 2>&1'"'"
Is there a way to make Ansible use /bin/bash instead of /bin/sh
sudo -l
tells me that I have
(root) NOPASSWD: /bin/bash
So I'm guessing that it should work if I'm able to change the shell using some config?
benno joy
Jun 4, 2015, 1:08:22 AM6/4/15
to ansible...@googlegroups.com
try setting 'sudo_exe=/bin/bash in ansible.cfg or export ANSIBLE_SUDO_EXE=/bin/bash in your cli and then running the playbook,
usually /bin/sh is link to /bin/bash in centos/rhel systems.
- Benno
Aneesh Joseph
Jun 4, 2015, 1:16:52 AM6/4/15
to ansible...@googlegroups.com
Thanks Benno,
I hope you meant setting 'executable = /bin/bash' in ansible.cfg?
- Aneesh
benno joy
Jun 4, 2015, 1:32:29 AM6/4/15
to ansible...@googlegroups.com
ohh sorry yes, the variable i mentioned is used to change the 'sudo' binary.
- Benno
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/c75fb495-6c66-48f2-afe5-f60e393d6f5b%40googlegroups.com.
Aneesh Joseph
Jun 4, 2015, 2:57:32 AM6/4/15
to ansible...@googlegroups.com
Thank you Benno and Brian,
that worked perfectly :-)
- Aneesh
Reply all
Reply to author
Forward
0 new messages