Solaris and pfexec, not working?

[Thomas Willert]

Hi,

I am not able to get the "ping" modules working when using privilege escalation on Solaris 11.

I am using Ansible 1.9.4 from a CentOS 7.1 control machine:

$ ansible --version
ansible 1.9.4
  configured module search path = None
$ cat /etc/redhat-release
CentOS Linux release 7.1.1503 (Core)

Remote server 'server1' is Solaris 11.1:

-bash-4.1$ uname -a
SunOS dbservere4 5.11 11.1 sun4v sparc sun4v

On the remote server 'server1' the account used to establish the SSH connection with has 'pfexec' privilges to become 'root':

-bash-4.1$ pfexec id

uid=0(root) gid=0(root)

Can someone help me understand why this is not working?

$ ANSIBLE_BECOME=True ANSIBLE_BECOME_METHOD=pfexec ansible server1 -m ping

server1 | FAILED => Internal Error: this module does not support running commands via pfexec

Thanks,

Thomas

[Brian Coca]

1.9 had a skeleton for pfexec support but we never got to test it, it
is now available in 2.0 which is current devel and close to release.

If you really want to test with 1.9, you need to update the following
in the ssh.py or paramiko_ssh.py connection plugin (whichever you are
using).

self.become_methods_supported=['sudo', 'su', 'pbrun']

should look like:

self.become_methods_supported=['sudo', 'su', 'pbrun', 'pfexec']

--
Brian Coca

[Thomas Willert]

Hi Brian,

thanks for the 'pfexec' hints. I tried both changing my Ansible 1.9 files and also tried using Ansible 2.0.0 0.4.beta2. The error messages I now get are similiar although not quiet identical. They both contain "No such file or directory":

Ansible 1.9.4

-------------

[willert@ws-willert ~]$ ANSIBLE_BECOME=True ANSIBLE_BECOME_METHOD=pfexec ansible dbservere4 -m ping -vvvv

<dbservere4> ESTABLISH CONNECTION FOR USER: willert

<dbservere4> REMOTE_MODULE ping

<dbservere4> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/home/willert/.ansible/cp/ansible-ssh-%h-%p-%r" -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 dbservere4 /bin/sh -c 'mkdir -p /tmp/.ansible/tmp/ansible-tmp-1447400745.5-223125700098523 && chmod a+rx /tmp/.ansible/tmp/ansible-tmp-1447400745.5-223125700098523 && echo /tmp/.ansible/tmp/ansible-tmp-1447400745.5-223125700098523'

<dbservere4> PUT /tmp/tmpXcrm98 TO /tmp/.ansible/tmp/ansible-tmp-1447400745.5-223125700098523/ping

<dbservere4> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/home/willert/.ansible/cp/ansible-ssh-%h-%p-%r" -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 dbservere4 /bin/sh -c 'pfexec "'"'"'echo BECOME-SUCCESS-tnjzhxjycfjdyelcvpbxjdjxndkcfkfo; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /tmp/.ansible/tmp/ansible-tmp-1447400745.5-223125700098523/ping; rm -rf /tmp/.ansible/tmp/ansible-tmp-1447400745.5-223125700098523/ >/dev/null 2>&1'"'"'"'

dbservere4 | FAILED >> {

    "failed": true,

    "msg": "'echo BECOME-SUCCESS-tnjzhxjycfjdyelcvpbxjdjxndkcfkfo; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /tmp/.ansible/tmp/ansible-tmp-1447400745.5-223125700098523/ping; rm -rf /tmp/.ansible/tmp/ansible-tmp-1447400745.5-223125700098523/ >/dev/null 2>&1': No such file or directory\r\nOpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013\r\ndebug1: Reading configuration data /home/willert/.ssh/config\r\ndebug1: /home/willert/.ssh/config line 1: Applying options for *\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 56: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug2: mux_client_hello_exchange: master version 4\r\ndebug3: mux_client_forwards: request forwardings: 0 local, 0 remote\r\ndebug3: mux_client_request_session: entering\r\ndebug3: mux_client_request_alive: entering\r\ndebug3: mux_client_request_alive: done pid = 3625\r\ndebug3: mux_client_request_session: session request sent\r\ndebug1: mux_client_request_session: master session id: 2\r\ndebug3: mux_client_read_packet: read header failed: Broken pipe\r\ndebug2: Received exit status from master 1\r\nShared connection to dbservere4 closed.\r\n",

    "parsed": false

Ansible 2.0.0 0.4.beta2

-----------------------

$ ANSIBLE_BECOME=True ANSIBLE_BECOME_METHOD=pfexec ansible dbservere4 -m ping -vvvv

Using /home/willert/.ansible.cfg as config file

Loaded callback minimal of type stdout, v2.0

<dbservere4> ESTABLISH SSH CONNECTION FOR USER: None

<dbservere4> SSH: EXEC ssh -C -vvv -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/willert/.ansible/cp/ansible-ssh-%h-%p-%r -tt dbservere4 (umask 22 && mkdir -p "$(echo /tmp/.ansible/tmp/ansible-tmp-1447405023.72-289756827788)" && echo "$(echo /tmp/.ansible/tmp/ansible-tmp-1447405023.72-289756827788)")

<dbservere4> PUT /tmp/tmpUF3jFS TO /tmp/.ansible/tmp/ansible-tmp-1447405023.72-289756827788/ping

<dbservere4> SSH: EXEC sftp -b - -C -vvv -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/willert/.ansible/cp/ansible-ssh-%h-%p-%r [dbservere4]

<dbservere4> ESTABLISH SSH CONNECTION FOR USER: None

<dbservere4> SSH: EXEC ssh -C -vvv -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/willert/.ansible/cp/ansible-ssh-%h-%p-%r -tt dbservere4 /bin/sh -c 'pfexec  "'"'"'echo BECOME-SUCCESS-bodchmhbolxfaduxknexdrmbouogwbjj; LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 LC_MESSAGES=en_US.UTF-8 /usr/bin/python /tmp/.ansible/tmp/ansible-tmp-1447405023.72-289756827788/ping; rm -rf "/tmp/.ansible/tmp/ansible-tmp-1447405023.72-289756827788/" > /dev/null 2>&1'"'"'"'

dbservere4 | FAILED! => {

    "changed": false,

    "failed": true,

    "invocation": {

        "module_args": {},

        "module_name": "ping"

    },

    "msg": "'echo BECOME-SUCCESS-bodchmhbolxfaduxknexdrmbouogwbjj; LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 LC_MESSAGES=en_US.UTF-8 /usr/bin/python /tmp/.ansible/tmp/ansible-tmp-1447405023.72-289756827788/ping; rm -rf /tmp/.ansible/tmp/ansible-tmp-1447405023.72-289756827788/ > /dev/null 2>&1': No such file or directory\r\nOpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013\r\ndebug1: Reading configuration data /home/willert/.ssh/config\r\ndebug1: /home/willert/.ssh/config line 1: Applying options for *\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 56: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug2: mux_client_hello_exchange: master version 4\r\ndebug3: mux_client_forwards: request forwardings: 0 local, 0 remote\r\ndebug3: mux_client_request_session: entering\r\ndebug3: mux_client_request_alive: entering\r\ndebug3: mux_client_request_alive: done pid = 6655\r\ndebug3: mux_client_request_session: session request sent\r\ndebug1: mux_client_request_session: master session id: 2\r\ndebug3: mux_client_read_packet: read header failed: Broken pipe\r\ndebug2: Received exit status from master 1\r\nShared connection to dbservere4 closed.\r\n",

    "parsed": false

}

Trying to decipher the error message it seems like a file access problem? If I read the outpout correctly the "rm -rf" can not find the directory to recursively remove? Logging into the remote Solaris server the excat same directory and files are there?

-bash-4.1$ ls -ld /tmp/.ansible \

> /tmp/.ansible/tmp \

> /tmp/.ansible/tmp/ansible-tmp-1447405023.72-289756827788 \

> /tmp/.ansible/tmp/ansible-tmp-1447405023.72-289756827788/ping

drwxr-xr-x   3 willert  unixadm      177 Nov 13 08:44 /tmp/.ansible

drwxr-xr-x   7 willert  unixadm      603 Nov 13 09:57 /tmp/.ansible/tmp

drwxr-xr-x   2 willert  unixadm      178 Nov 13 09:57 /tmp/.ansible/tmp/ansible-tmp-1447405023.72-289756827788

-rw-------   1 willert  unixadm    72874 Nov 13 09:57 /tmp/.ansible/tmp/ansible-tmp-1447405023.72-289756827788/ping

I have set "remote_tmp" to "/tmp/.ansible/tmp" on the control machine.

Does anyone have an idea of whats going wrong here?

/ Thomas

[Brian Coca]

does ping work w/o pfexec?

> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/b600cacd-70ef-4d58-a530-a84db3a553fd%40googlegroups.com.
>
> For more options, visit https://groups.google.com/d/optout.



--
Brian Coca

[Thomas Willert]

Yes, ping works fine without the Privilege Escalation "pfexec":

[willert@localhost ~]$ ansible dbservere4 -m ping -vvvv

Using /home/willert/.ansible.cfg as config file

Loaded callback minimal of type stdout, v2.0

<dbservere4> ESTABLISH SSH CONNECTION FOR USER: None

<dbservere4> SSH: EXEC ssh -C -vvv -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/willert/.ansible/cp/ansible-ssh-%h-%p-%r -tt dbservere4 (umask 22 && mkdir -p "$(echo /tmp/.ansible/tmp/ansible-tmp-1447659206.06-120147812768677)" && echo "$(echo /tmp/.ansible/tmp/ansible-tmp-1447659206.06-120147812768677)")

<dbservere4> PUT /tmp/tmprmOes7 TO /tmp/.ansible/tmp/ansible-tmp-1447659206.06-120147812768677/ping

<dbservere4> SSH: EXEC sftp -b - -C -vvv -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/willert/.ansible/cp/ansible-ssh-%h-%p-%r [dbservere4]

<dbservere4> ESTABLISH SSH CONNECTION FOR USER: None

<dbservere4> SSH: EXEC ssh -C -vvv -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/willert/.ansible/cp/ansible-ssh-%h-%p-%r -tt dbservere4 LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 LC_MESSAGES=en_US.UTF-8 /usr/bin/python /tmp/.ansible/tmp/ansible-tmp-1447659206.06-120147812768677/ping; rm -rf "/tmp/.ansible/tmp/ansible-tmp-1447659206.06-120147812768677/" > /dev/null 2>&1

dbservere4 | SUCCESS => {

    "changed": false,

    "invocation": {

        "module_args": {},

        "module_name": "ping"

    },

    "ping": "pong"

}

/ Thomas

[Thomas Willert]

Sorry, the example without using "pfexec" was with Ansible 2:

[willert@localhost ~]$ ansible --version

ansible 2.0.0

  config file = /home/willert/.ansible.cfg

  configured module search path = None

/ Thomas


On Friday, November 13, 2015 at 5:11:10 PM UTC+1, Brian Coca wrote: