Ansible [Errno 13] Permission denied

[Andrew Morgan]

Hello All, 

Can I please get some help on this issue I have been trying to figure out for hours now. When I run the below command:

I am trying to run the below command from my:

Mac and connect to an amazon linux 2 server

Mac has ansible 2.8.2

Mac has Python 2.7.10

Server has Python 2.6.9

My setup is such where I use private keys, but still need to enter a password(its security precaution at work)

ansible all -i inventory  --private-key="/Users/p/andrewm.pem" -u andrewm -b -k -K -m command -a "/usr/sbin/useradd -s /bin/bash -m test"


SSH password:
BECOME password[defaults to SSH password]:
dev_jenkins | FAILED! => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "module_stderr": "Shared connection to 54.x.183.46 closed.\r\n",
    "module_stdout": "\r\n",
    "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
    "rc": 1
}

I am able to ping  successfully

ansible all -i inventory  -m ping --private-key="/Users/confluencetrades/Desktop/andrewm.pem" -u andrewm --ask-become-pass -k
SSH password:
BECOME password[defaults to SSH password]:
dev_jenkins | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}

More verbose output

ansible all -vvv -i inventory  -m command -a "/usr/sbin/useradd -s /bin/bash -m test" --private-key="/Users/confluencetrades/Desktop/andrewm.pem" -u andrewm --ask-become-pass  -k

ansible 2.8.2

  config file = /WALLETHUB/ansible/ansible.cfg

  configured module search path = [u'/var/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']

  ansible python module location = /Library/Python/2.7/site-packages/ansible

  executable location = /usr/local/bin/ansible

  python version = 2.7.10 (default, Feb 22 2019, 21:55:15) [GCC 4.2.1 Compatible Apple LLVM 10.0.1 (clang-1001.0.37.14)]

Using /WALLETHUB/ansible/ansible.cfg as config file

SSH password:

BECOME password[defaults to SSH password]:

host_list declined parsing /WALLETHUB/ansible/inventory as it did not pass it's verify_file() method

script declined parsing /WALLETHUB/ansible/inventory as it did not pass it's verify_file() method

auto declined parsing /WALLETHUB/ansible/inventory as it did not pass it's verify_file() method

Parsed /WALLETHUB/ansible/inventory inventory source with ini plugin

META: ran handlers

<54.x.183.46> ESTABLISH SSH CONNECTION FOR USER: andrewm

<54.x.183.46> SSH: EXEC sshpass -d43 ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="/Users/confluencetrades/Desktop/andrewm.pem"' -o 'User="andrewm"' -o ConnectTimeout=10 -o ControlPath=/private/var/root/.ansible/cp/a3358dc28d 54.x.183.46 '/bin/sh -c '"'"'echo ~andrewm && sleep 0'"'"''

<54.2x.183.46> (0, '/home/andrewm\n', '')

<54.x.183.46> ESTABLISH SSH CONNECTION FOR USER: andrewm

<54.x.183.46> SSH: EXEC sshpass -d43 ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="/Users/confluencetrades/Desktop/andrewm.pem"' -o 'User="andrewm"' -o ConnectTimeout=10 -o ControlPath=/private/var/root/.ansible/cp/a3358dc28d 54.x.183.46 '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo /home/andrewm/.ansible/tmp/ansible-tmp-1564955687.71-187487933428397 `" && echo ansible-tmp-1564955687.71-187487933428397="` echo /home/andrewm/.ansible/tmp/ansible-tmp-1564955687.71-187487933428397 `" ) && sleep 0'"'"''

<54.x.183.46> (0, 'ansible-tmp-1564955687.71-187487933428397=/home/andrewm/.ansible/tmp/ansible-tmp-1564955687.71-187487933428397\n', '')

<dev_jenkins> Attempting python interpreter discovery

<54.x.183.46> ESTABLISH SSH CONNECTION FOR USER: andrewm

<54.2x.183.46> SSH: EXEC sshpass -d43 ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="/Users/confluencetrades/Desktop/andrewm.pem"' -o 'User="andrewm"' -o ConnectTimeout=10 -o ControlPath=/private/var/root/.ansible/cp/a3358dc28d 54.2x.183.46 '/bin/sh -c '"'"'echo PLATFORM; uname; echo FOUND; command -v '"'"'"'"'"'"'"'"'/usr/bin/python'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python3.7'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python3.6'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python3.5'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python2.7'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python2.6'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'/usr/libexec/platform-python'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'/usr/bin/python3'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python'"'"'"'"'"'"'"'"'; echo ENDFOUND && sleep 0'"'"''

<54.2x.183.46> (0, 'PLATFORM\nLinux\nFOUND\n/usr/bin/python\n/usr/bin/python3.6\n/usr/bin/python2.7\n/usr/bin/python2.6\n/usr/bin/python3\n/usr/bin/python\nENDFOUND\n', '')

<54.x.183.46> ESTABLISH SSH CONNECTION FOR USER: andrewm

<54.x.183.46> SSH: EXEC sshpass -d43 ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="/Users/confluencetrades/Desktop/andrewm.pem"' -o 'User="andrewm"' -o ConnectTimeout=10 -o ControlPath=/private/var/root/.ansible/cp/a3358dc28d 54.x.183.46 '/bin/sh -c '"'"'/usr/bin/python && sleep 0'"'"''

<54.2x.183.46> (0, '{"osrelease_content": "NAME=\\"Amazon Linux AMI\\"\\nVERSION=\\"2018.03\\"\\nID=\\"amzn\\"\\nID_LIKE=\\"rhel fedora\\"\\nVERSION_ID=\\"2018.03\\"\\nPRETTY_NAME=\\"Amazon Linux AMI 2018.03\\"\\nANSI_COLOR=\\"0;33\\"\\nCPE_NAME=\\"cpe:/o:amazon:linux:2018.03:ga\\"\\nHOME_URL=\\"http://aws.amazon.com/amazon-linux-ami/\\"\\n", "platform_dist_result": ["", "", ""]}\n', '')

<dev_jenkins> Python interpreter discovery fallback (unsupported Linux distribution: amzn)

Using module file /Library/Python/2.7/site-packages/ansible/modules/commands/command.py

<54.2x.183.46> PUT /var/root/.ansible/tmp/ansible-local-42993v4FGWo/tmp3ToKAg TO /home/andrewm/.ansible/tmp/ansible-tmp-1564955687.71-187487933428397/AnsiballZ_command.py

<54.2x.183.46> SSH: EXEC sshpass -d43 sftp -o BatchMode=no -b - -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="/Users/confluencetrades/Desktop/andrewm.pem"' -o 'User="andrewm"' -o ConnectTimeout=10 -o ControlPath=/private/var/root/.ansible/cp/a3358dc28d '[54.2x.183.46]'

<54.2x.183.46> (0, 'sftp> put /var/root/.ansible/tmp/ansible-local-42993v4FGWo/tmp3ToKAg /home/andrewm/.ansible/tmp/ansible-tmp-1564955687.71-187487933428397/AnsiballZ_command.py\n', '')

<54.2x.183.46> ESTABLISH SSH CONNECTION FOR USER: andrewm

<54.2xx.183.46> SSH: EXEC sshpass -d43 ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="/Users/confluencetrades/Desktop/andrewm.pem"' -o 'User="andrewm"' -o ConnectTimeout=10 -o ControlPath=/private/var/root/.ansible/cp/a3358dc28d 54.2x.183.46 '/bin/sh -c '"'"'chmod u+x /home/andrewm/.ansible/tmp/ansible-tmp-1564955687.71-187487933428397/ /home/andrewm/.ansible/tmp/ansible-tmp-1564955687.71-187487933428397/AnsiballZ_command.py && sleep 0'"'"''

<54.x.183.46> (0, '', '')

<54.2x.183.46> ESTABLISH SSH CONNECTION FOR USER: andrewm

<54.x.183.46> SSH: EXEC sshpass -d43 ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="/Users/confluencetrades/Desktop/andrewm.pem"' -o 'User="andrewm"' -o ConnectTimeout=10 -o ControlPath=/private/var/root/.ansible/cp/a3358dc28d -tt 54.2x.183.46 '/bin/sh -c '"'"'/usr/bin/python /home/andrewm/.ansible/tmp/ansible-tmp-1564955687.71-187487933428397/AnsiballZ_command.py && sleep 0'"'"''

<54.x.183.46> (1, '\r\n{"exception": "WARNING: The below traceback may *not* be related to the actual failure.\\n  File \\"/tmp/ansible_command_payload_xIvWEp/ansible_command_payload.zip/ansible/module_utils/basic.py\\", line 2561, in run_command\\n    cmd = subprocess.Popen(args, **kwargs)\\n  File \\"/usr/lib64/python2.6/subprocess.py\\", line 642, in __init__\\n    errread, errwrite)\\n  File \\"/usr/lib64/python2.6/subprocess.py\\", line 1238, in _execute_child\\n    raise child_exception\\n", "cmd": "/usr/sbin/useradd -s /bin/bash -m test", "failed": true, "rc": 13, "invocation": {"module_args": {"creates": null, "executable": null, "_uses_shell": false, "strip_empty_ends": true, "_raw_params": "/usr/sbin/useradd -s /bin/bash -m test", "removes": null, "argv": null, "warn": true, "chdir": null, "stdin_add_newline": true, "stdin": null}}, "msg": "[Errno 13] Permission denied"}\r\n', 'Shared connection to 54.x.183.46 closed.\r\n')

<54.x.183.46> Failed to connect to the host via ssh: Shared connection to 54.x.183.46 closed.

<54.2x.183.46> ESTABLISH SSH CONNECTION FOR USER: andrewm

<54.2x.183.46> SSH: EXEC sshpass -d43 ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="/Users/confluencetrades/Desktop/andrewm.pem"' -o 'User="andrewm"' -o ConnectTimeout=10 -o ControlPath=/private/var/root/.ansible/cp/a3358dc28d 54.X.183.46 '/bin/sh -c '"'"'rm -f -r /home/andrewm/.ansible/tmp/ansible-tmp-1564955687.71-187487933428397/ > /dev/null 2>&1 && sleep 0'"'"''

<54.x.183.46> (0, '', '')

The full traceback is:

WARNING: The below traceback may *not* be related to the actual failure.

  File "/tmp/ansible_command_payload_xIvWEp/ansible_command_payload.zip/ansible/module_utils/basic.py", line 2561, in run_command

    cmd = subprocess.Popen(args, **kwargs)

  File "/usr/lib64/python2.6/subprocess.py", line 642, in __init__

    errread, errwrite)

  File "/usr/lib64/python2.6/subprocess.py", line 1238, in _execute_child

    raise child_exception

dev_jenkins | FAILED | rc=13 >>

[Errno 13] Permission denied

[Sandip Bhattacharya]

On August 4, 2019 at 3:06:25 PM, Andrew Morgan (alonso...@gmail.com(mailto:alonso...@gmail.com)) wrote:
> More verbose output
>
> ansible all -vvv -i inventory -m command -a "/usr/sbin/useradd -s /bin/bash -m test" --private-key="/Users/confluencetrades/Desktop/andrewm.pem" -u andrewm --ask-become-pass -k

You are not really adding "—-become” here, even though you are supplying the become password. I am not sure that supplying the become password automatically enables "become”.

- Sandip

[Andrew Morgan]

I tried --become, but it doesnt work either

ansible all -i inventory  --private-key="/Users/confluencetrades/Desktop/andre.pem" -u andrewm -k --become --ask-become-pass  -m command -a "/usr/sbin/useradd -s /bin/bash -m test"

SSH password:

BECOME password[defaults to SSH password]:

dev_jenkins | FAILED! => {

    "ansible_facts": {

        "discovered_interpreter_python": "/usr/bin/python"

    },

    "changed": false,

    "module_stderr": "Shared connection to 54.xx.183.46 closed.\r\n",

    "module_stdout": "\r\n",

    "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",

    "rc": 1

}

[Sandip Bhattacharya]

 




On August 5, 2019 at 4:35:34 PM, Andrew Morgan (alonso...@gmail.com(mailto:alonso...@gmail.com)) wrote:

> Thank you, but I also tried that, but no luck
>
> > ansible all -i inventory --private-key="/Users/confluencetrades/Desktop/andrewm.pem" -u andrewm -k --become --ask-become-pass -m command -a "/usr/sbin/useradd -s /bin/bash -m test"
> > SSH password:
> 

Can you run with --debug and see the output? It shows the exact command executed remotely.

- Sandip

[Sandip Bhattacharya]

[ Yeah, it should have been -vvv and not --debug. I am missing up apps. :) My apologies. ] 




On August 5, 2019 at 4:45:33 PM, Andrew Morgan (alonso...@gmail.com(mailto:alonso...@gmail.com)) wrote:
> <54.236.183.46> ESTABLISH SSH CONNECTION FOR USER: andrewm
> <54.236.183.46> SSH: EXEC sshpass -d42 ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="/Users/confluencetrades/Desktop/andrewm.pem"' -o 'User="andrewm"' -o ConnectTimeout=10 -o ControlPath=/private/var/root/.ansible/cp/a3358dc28d -tt 54.236.183.46 '/bin/sh -c '"'"'sudo -H -S -p "[sudo via ansible, key=fahckbxvjwfjuwfziuxflwkbjtwbsyfl] password:" -u root /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-fahckbxvjwfjuwfziuxflwkbjtwbsyfl ; /usr/bin/python /home/andrewm/.ansible/tmp/ansible-tmp-1565048685.95-166747859799287/AnsiballZ_command.py'"'"'"'"'"'"'"'"' && sleep 0'"'"''
> Escalation succeeded
> <54.236.183.46> (1, '\r\n', 'Shared connection to 54.236.183.46 closed.\r\n')
> <54.236.183.46> Failed to connect to the host via ssh: Shared connection to 54.236.183.46 closed.

At this point, the only possible problem I can think of is sudo restrictions.

Are you sure you can run arbitrary commands via sudo on your box. My workplace doesn't let me execute shells via sudo, for example. We use a workaround to make sensible work.

e.g. Can you run on your remote box something like this?

    sudo /bin/sh -c "echo hello from bash; python -c 'print \"hello\"' "

- Sandip

[Sandip Bhattacharya]

On Mon, Aug 5, 2019, at 5:34 PM, Andrew Morgan wrote:
> Ahh, you are right, I am getting the error:
>
> Sorry, user andrewm is not allowed to execute '/bin/sh -c echo hello from bash; python -c 'print "hello"' ' as root on ip-10-0-0-162
>
> but in ansible I am becoming root! Now when I become the root user I am able to :
> # sudo /bin/sh -c "echo hello from bash; python -c 'print \"hello\"' "
hello from bash
hello
>
>
> How can I fix this issue?


You need to change your sudo config to allow executing /bin/sh. This has always been an Ansible requirement - to be able to use privilege escalation, you need to let sudo run arbitrary commands.

The relevant config to fix should be somewhere in /etc/sudoers or some file in /etc/sudoers.d. The specific config varies from installation to installation, and changing it has security implications. So if you have a different person handling system level setup (you mentioned in your first mail that there are certain security requirements at work) you should definitely work with them to change this, else you can leave your system vulnerable in an unexpected way. Else if you can do this yourself, look up "man sudoers" to understand the current config and change it.

- Sandip

[Andrew Morgan]

Thanks! great info, it worked.

[Andrew Morgan]

Issue was with my sudo permissions file. Thanks to Sandip , he was a great help.