Copy file with sudo; sudo /bin/sh not allowed
971 views
Skip to first unread message
Nicola Apicella
Sep 28, 2018, 12:36:32 PM9/28/18
to Ansible Project
Hi,
I am sorry for the newbie question, I ve just started looking into Ansible but I did not find any info in the docs or anywhere else that could help me find a resolution.
I have a bunch of hosts on which I have sudo access.
>sudo whoami
root
But I do not have permission to run
> sudo /bin/sh -c echo "Hello!"
Sorry, user some-user is not allowed to execute '/bin/sh -c echo Hello world' as root on blabahost.
This is blocking me from executing a simple playbook which copies files under /etc/yum.repos.d
The playbook like this:
---
- name: test-pl
hosts: blablahost
tasks:
- name: test
become: yes
become_method: sudo
copy:
content: ""
dest: /etc/yum.repos.d/a
force: no
group: root
owner: root
mode: 0555
The error I get is basically the same one mentioned above. My user is not allowed to execute /bin/sh as root.
blablahost | FAILED! => {
"changed": false,
"module_stderr": "Shared connection to blablahost closed.\r\n",
"module_stdout": "\r\nSorry, user some-user is not allowed to execute '/bin/sh -c echo BECOME-SUCCESS-rhzefxcamynrooqcpyqppdiqvzlqbmyt; /usr/bin/python /home/some-user/.ansible/tmp/ansible-tmp-1538151353.33-57836367165837/command.py' as root on blablahost.\r\n",
"msg": "MODULE FAILURE",
"rc": 1
}
The problem could be fixed if Ansible would allow to start the bash as a normal user and then run the copy command with sudo.
Basically, avoiding executing /bin/sh as root.
Are you aware of a workaround for this case? Or am I missing something?
Thanks in advance.
-Nicola
Brian Coca
Sep 28, 2018, 12:43:11 PM9/28/18
to Ansible Project
You need unrestricted sudo
https://docs.ansible.com/ansible/latest/user_guide/become.html#can-t-limit-escalation-to-certain-commands
--
----------
Brian Coca
https://docs.ansible.com/ansible/latest/user_guide/become.html#can-t-limit-escalation-to-certain-commands
--
----------
Brian Coca
Karthik Chandrashekar
Sep 28, 2018, 1:08:28 PM9/28/18
to Ansible Project
What is the username you are trying to connect as ?
Nicola Apicella
Sep 28, 2018, 1:25:08 PM9/28/18
to Ansible Project
Unfortunately this is not an option for me :/
Thanks,
Nicola
Brian Coca
Sep 28, 2018, 1:26:52 PM9/28/18
to Ansible Project
You might want to look at using ansible-pull from cron then.
--
----------
Brian Coca
--
----------
Brian Coca
Nicola Apicella
Sep 28, 2018, 1:28:44 PM9/28/18
to Ansible Project
I am running the playbook without specifying an user:
Running the command with -u flag does not change the error:
ansible-playbook -u napicella --ask-become-pass -vvv test-playbook
where napicella is an user on both the local machine and the remote one
Nicola Apicella
Sep 28, 2018, 1:32:01 PM9/28/18
to Ansible Project
Interesting. Thanks Brian
Karthik Chandrashekar
Sep 28, 2018, 1:32:25 PM9/28/18
to Ansible Project
Well, is that user been given sudo rights on remote machine if so, Could you check if you are able to login as that user and execute the same task manually without ansible.
Nicola Apicella
Sep 28, 2018, 1:39:24 PM9/28/18
to Ansible Project
It does have sudo access, but it is restricted, namely it cannot use exec /bin/sh.
So if I do:
napicella@localhost > ssh blablahost
napicella@blalahost> sudo cp /tmp/a > /etc/yum.repos.d/a
This works as expected, what it does not work is:
This works as expected, what it does not work is:
napicella@blalahost> sudo /bin/bash -c 'cp /tmp/a > /etc/yum.repos.d/a'
Sorry user napicella is not allowed to execute /bin/bash .....
which appears to be exactly what Ansible does when the become property is set in the playbook task
Nicola Apicella
Sep 28, 2018, 1:43:29 PM9/28/18
to Ansible Project
As @BrianCoca mentioned, I am afraid I need unrestricted sudo access to run Ansible.
From the docs is kinda hard to understand that: https://docs.ansible.com/ansible/latest/user_guide/become.html#can-t-limit-escalation-to-certain-commands
It might be just me, but I do no quite get it
Matt Martz
Sep 28, 2018, 1:53:07 PM9/28/18
to ansible...@googlegroups.com
Generally speaking, ansible does not run many shell commands to perform these actions. Instead many modules rely on executing python code that will achieve your goal.
As such, restricting sudo to something like `cp` can't work for the `copy` module.
Instead we run something more like `sudo /bin/sh -c '/usr/bin/python /path/to/some/temp/python/script.py'`
You *can* achieve results similar to what you want, by severely restricting yourself to only using the raw/command/shell modules like:
- command: sudo cp foo bar
It isn't really recommended to do this, as it doesn't support password prompting, and you lose a lot of additional functionality provided by the other ansible modules.
Also, let me pose this question, how is allowing `sudo cp` more secure? I would assume most configurations would allow: sudo cp give_me_access_sudoers /etc/sudoers
I'd recommend talking to the person responsible for your sudoers configuration.
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/253607a8-00c5-40f8-874a-dda7e17ae8c7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Karthik Chandrashekar
Sep 28, 2018, 1:56:23 PM9/28/18
to Ansible Project
Can you try to change your playbook a little bit.
Just below hosts mention:
remote_user: < username >
remove become_method option ( I assume you are using ansible version => 1.9 )
I don't think ansible in the backed uses below syntax for any task executions as root:
sudo /bin/bash -c 'cp /tmp/a > /etc/yum.repos.d/a'
Nicola Apicella
Sep 28, 2018, 2:25:24 PM9/28/18
to Ansible Project
Hi, thanks for the answer.
I agree with u, that using only command is a severe restriction and it kinda miss the point of using Ansible.
As for the question about restricting access, well, great question.
It is more secure, because the sudoers file is generated and kept in sync by a daemon running on the host.
By changing the file, you get unrestricted access for a short time, after which the daemon will override the content.
Stopping the daemon basically cuts the host off from the system.
This is my understanding of how things work, but I am not a system engineer and definitely not an expert.
Nicola Apicella
Sep 28, 2018, 2:26:25 PM9/28/18
to Ansible Project
I tried, same result.
Thanks!
Thanks!
Nicola Apicella
Sep 28, 2018, 2:44:12 PM9/28/18
to Ansible Project
...but I am not sure why restricting shell from sudo is a security measure.
Gotta investigate that.
Gotta investigate that.
Nicola Apicella
Sep 28, 2018, 3:02:53 PM9/28/18
to Ansible Project
I think I got it.
Not restricting shell allows for the user to run sudo /bin/sh first and then run whatever the user wants, including sudo su
Brian Coca
Sep 28, 2018, 3:21:01 PM9/28/18
to Ansible Project
That is not really a security restraint as `sudo -u` is equivalent to
`sudo su`, agreed that /bin/shell will give you 'unrestricted
commands', but that is normally the requirement if you are going to
manage a server.
41
----------
Brian Coca
`sudo su`, agreed that /bin/shell will give you 'unrestricted
commands', but that is normally the requirement if you are going to
manage a server.
41
----------
Brian Coca
Nicola Apicella
Sep 28, 2018, 3:32:27 PM9/28/18
to Ansible Project
Right. Thanks for taking the time. Much appreciated!
Reply all
Reply to author
Forward
0 new messages