Using sudosh instead of just sudo

[Darren Johnson]

I am trying to meet a corporate requirement wherein ansible's actions are recorded by sudosh on each server it touches.  I tried changing "executable" from /bin/sh to /usr/bin/sudosh, but sudosh doesn't have the corresponding -c parameter (it has one, but with different meaning).  I tried making ansible's login shell be /usr/bin/sudosh.  That works for non-sudo operations--I can ls /tmp and that works.  However, if I try to sudo from the sudosh shell, I get the following error:

...isn't allowed to be executed with process or redirect controls.

I don't see a lot of information on this particular error in the context of sudo/sh. 

Is it even feasible/possible to do what I'm trying to do?

Thanks...

Darren

[Michael DeHaan]

Hi Darren,

Hmm.... so yeah if http://docs.ansible.com/intro_configuration.html#sudo-exe does not help, it seems we need to have another setting that if set adds the "-c", so it can be removed.

Maybe this would work if it were tunable?

I believe this would be easy to implement.

Something like "base_sudo_flags=-c" # etc 

and you could remove it...

--Michael

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/8c7ebddc-c541-4718-ab7b-36fd9c0ec2b5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Darren Johnson]

So I separated out the sudosh from the sudo.  Having sudosh as a login shell works and records like it should, so I don't think you need to have another setting. 

This works:
ansible myserver -a "ls /tmp" and so does this:  ansible myserver -a "sudo ls /tmp"

This doesn't:
ansible myserver -a "ls /tmp" --sudo

That is where I get the redirection error.

Darren

[Craig Wickesser]

I have a similar requirement. Most operations are locked down to root, so I can SSH to a host as myself and then "sudo sudosh" to become root and do what I need. Is it possible to do this with Ansible?

For example, as myself I can't check the status of docker (running "service docker status" returns "docker status unknown due to insufficient privileges).

I've tried using combinations of "remote_user", "sudo" and "sudo_user" without luck, ansible hangs b/c it's trying to do "sudo ..." which I can't do (I have to "sudo sudosh", then I can run things). I could possibly have changes made to /etc/sudoers to allow my user to be able to "sudo" certain commands, but what I'm not sure which commands I'd need to enable.

Thanks in advance for any help.

[Nicholas Nezis]

Was there ever a resolution to this? I'm in a similar situation in which I can only switch to root using "sudo sudosh" or "sudo -s".  I've tried using "become_flags: '-s'", but with no luck. Am I missing something else?

[Nicholas Nezis]

Was there ever a resolution to this? I'm running into the same issue. "sudo sudosh" is my only option for privilege escalation.

Thanks,
Nick

On Wednesday, November 5, 2014 at 5:20:36 AM UTC-5, Craig Wickesser wrote:

[Craig Wickesser]

Nick - the only thing that ended up working for us was to add the commands we needed to run to /etc/sudoers ( in believe that's the correct place). That was very painful and annoying. 

We ended up switching to Salt.

Good luck!

You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/c9n87Ya8-gk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.

To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/6bace8f8-40a7-4cb6-8ceb-95870010598a%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

https://github.com/mindscratch
https://www.google.com/+CraigWickesser
https://twitter.com/mind_scratch
https://twitter.com/craig_links

[Nicholas Nezis]

Looks like this might solve my issue. https://github.com/ansible/ansible/issues/22718#issuecomment-287193691

Set "executable" in the ansible.cfg to "sudosh"

I'll have to try it tomorrow at work.

[Nicholas Nezis]

I wasn't successful. Not sure if you can run commands in conjunction with the privilege escalation. With "sudo sudosh" you have to completely switch to root, and then rub your commands.

[clifford...@onyxpoint.com]

Did you ever get a resolution on this?

[Nicholas Nezis]

No. Sorry.

--

You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/c9n87Ya8-gk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/4240dbc6-8ec0-4b10-8796-d83fab2e1a96%40googlegroups.com.