how to handle user prompt in privilege escalation

18 views
Skip to first unread message

hitesh shaha

unread,
Mar 15, 2019, 1:45:02 AM3/15/19
to Ansible Project
Hi Team,

we have developed playbook for oracle backup, but we are having big roadblock to use privilege escalation.
we are using become_user mentod for privilege escalation but in our env for security reason unix team has added script which prompts ticket number after switching user.
so i can handle this in become_user method.

existing setput in my env.

login to redhat server using my person id

username:hitesh
..
..connected.

linux>dzdo su - oracle
Please enter ticket number: INC00000

connected..


below is code which i have developed.

- name: Get oracle user from oracledb

  shell: ps -ef| grep pmon|grep -v 'grep'|grep {{ db_list[0] }}|awk '{print $1}'

  register: oracleuser

 

- name: Get the oracle_group

  shell: id -gn "{{ oracleuser.stdout_lines[0] }}"

  register: oraclegroup   

 

- name : create permafrost directory

  file :

    path : /tmp/permafrost/

    state: directory

    mode: "u+rwx,g+rwx,o+rwx"

  become: true

  become_user: "{{ oracleuser.stdout_lines[0] }}"

    #owner: "{{ oracleuser.stdout_lines[0] }}"

    #group: "{{ oraclegroup.stdout_lines[0] }}"

 

- name: Copy script file to dbserver

  copy:

    src: runme.sh

    dest: /tmp/permafrost/

    mode: "u+rwx,g+rwx,o+rwx"

   

- name: Run the permafrost script for each databases

  #ga_db_sid: "{{ item_permafrost }}"

  command: /bin/ksh runme.sh "{{ item_permafrost }}" "{{ gac_permafrost_path }}" "{{ gac_test_mount_only }}"

  args:

    chdir: /tmp/permafrost/

  become: true

  become_user: "{{ oracleuser.stdout_lines[0] }}"

  register: permafrostscript_output

  with_items: "{{ db_list }}"

  loop_control:

   loop_var: item_permafrost

 

please help me on this.

Kai Stian Olstad

unread,
Mar 16, 2019, 2:56:48 AM3/16/19
to ansible...@googlegroups.com
On 15.03.2019 06:45, hitesh shaha wrote:
> we have developed playbook for oracle backup, but we are having big
> roadblock to use privilege escalation.
> we are using become_user mentod for privilege escalation but in our env for
> security reason unix team has added script which prompts ticket number
> after switching user.
> so i can handle this in become_user method.

Ansible will not handle this, Ansible is using sshpass and the string sshpass is looking for is hardcoded.


> existing setput in my env.
>
> login to redhat server using my person id
>
> username:hitesh
> ..
> ..connected.
>
> linux>dzdo su - oracle
> Please enter ticket number: INC00000

One way to solve it would be to use the expect module.


--
Kai Stian Olstad
Reply all
Reply to author
Forward
0 new messages