sudo and change user

84 views
Skip to first unread message

Nikos Skalis

unread,
Nov 17, 2017, 11:17:15 AM11/17/17
to Ansible Project
Could you please advise how 

    usera@serverX:~> sudo su - userb
    Last login: Fri Nov 17 15:46:48 CET 2017 on pts/1
    -bash-4.2$
(note that no password requested above)

translates into ansible ?


More specifically, I would like to login to linux server X as `usera` then become `userb` (with the command above), and then execute all the tasks defined in the playbook as `userb`

The following are configuration options in `ansible.cfg`:

    sudo_user      = root
    #ask_sudo_pass = True
    #ask_pass      = True
    #remote_user = root
    #become=True
    #become_method=sudo
    #become_user=root
    #become_ask_pass=False

I am having trouble understanding the difference between the above configuration options.

Niko

Moreno Garcia

unread,
Nov 17, 2017, 6:40:30 PM11/17/17
to Ansible Project
I think you are looking for become_user

Moreno Garcia

unread,
Nov 17, 2017, 6:41:19 PM11/17/17
to Ansible Project
- name: Run a command as the userb user
  command: somecommand
  become: true
  become_user: userb

On Friday, November 17, 2017 at 2:17:15 PM UTC-2, Nikos Skalis wrote:

Nikos Skalis

unread,
Nov 18, 2017, 5:41:44 AM11/18/17
to ansible...@googlegroups.com
as there is no password prompt, and "usera" is not a sudoer, the below will not work.

`sudo su - userb` is achievable because of PAM auth (meaning LDAP).
I believe that is impossible this issue to be resolved at the playbook level.

I am trying to experiment with `-vvvv` and the options below, but with not much luck..

`sudo_flags` has been set to `-H`

here is some documentation:

sudo_user = 
the default user to sudo to

ask_sudo_pass = 
this controls whether an Ansible playbook should prompt for a sudo password by default when sudoing

ask_pass = 
controls whether an Ansible playbook should prompt for a password by default

remote_user = 
This is the default username ansible will connect as for /usr/bin/ansible-playbook. Note that /usr/bin/ansible will always default to the current user if this is not defined

become = 
The equivalent of adding sudo: or su: to a play or task, set to true/yes to activate privilege escalation.

become_method = 
Set the privilege escalation method. The default is sudo, other options are su, pbrun, pfexec, doas, ksu

become_user = 
The equivalent to ansible_sudo_user or ansible_su_user, allows to set the user you become through privilege escalation. 

become_ask_pass = 
Ask for privilege escalation password, the default is False

sudo_flags = 
Note that ‘-n’ will conflict with using password-less sudo auth, such as pam_ssh_agent_auth



--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/4V-Ak8wa7Nk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/5df5e1cb-cb3b-43d1-9977-6441e434df75%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages