Re: [ansible-project] Allowed specific commands with NOPASSWD in sudoers file, Ansible complains...
938 views
Skip to first unread message
Message has been deleted
Brian Coca
Nov 9, 2015, 6:00:52 PM11/9/15
to Ansible Project
no, the issue is that ansible does not support fine grained sudo
permissions, it executes a python file which might execute the
commands you see, but the sudo wraps the entire thing, not just the
command.
--
Brian Coca
permissions, it executes a python file which might execute the
commands you see, but the sudo wraps the entire thing, not just the
command.
--
Brian Coca
Jeff
Nov 10, 2015, 11:48:53 AM11/10/15
to Ansible Project
So that's a security bug then.
The point of sudo is to enable fine-grained control rather than just granting root access to everything.
Ansible needs to be upgraded to only SUDO the expected commands rather than an entire script that does other things that are not visible.
This is the same as https://github.com/ansible/ansible/issues/13077
So I guess you get this question a lot.
Brian Coca
Nov 10, 2015, 12:28:39 PM11/10/15
to Ansible Project
The purpose of sudo is to allow for privilege escalation, the fine
grained escalation is a feature.
The way ansible works currently requires arbitrary commands specs,
this is not a bug, but it is a limitation. This won't work for all
environments, specifically those that only allow specific commands.
This is a feature we want to add, but it won't work with all modules,
it would only work with modules that shell out to run commands.
For example, if a module changes ownership of a file using the
python/perl/ruby function to do so, it would not work with
`/bin/chmod` permissions in sudoers as they will be making a system
call and not running a command.
--
Brian Coca
grained escalation is a feature.
The way ansible works currently requires arbitrary commands specs,
this is not a bug, but it is a limitation. This won't work for all
environments, specifically those that only allow specific commands.
This is a feature we want to add, but it won't work with all modules,
it would only work with modules that shell out to run commands.
For example, if a module changes ownership of a file using the
python/perl/ruby function to do so, it would not work with
`/bin/chmod` permissions in sudoers as they will be making a system
call and not running a command.
--
Brian Coca
Jonathan Bouzekri
Jan 26, 2017, 4:13:53 PM1/26/17
to Ansible Project
Hi
Is there any progress on this feature? is it available in the latest version of ansible? More specifically on the service module (for example to allow reloading of specific services)
Thanks
Is there any progress on this feature? is it available in the latest version of ansible? More specifically on the service module (for example to allow reloading of specific services)
Thanks
Johannes Kastl
Jan 27, 2017, 8:41:34 AM1/27/17
to ansible...@googlegroups.com
title is what you are after.
No, ansible needs to run something like "sudo -H -S -n -u root
/bin/bash" to work. You might set that to NOPASSWD, but it just means
you allow the ansible user everything.
Johannes
Jonathan Bouzekri
Jan 27, 2017, 9:36:52 AM1/27/17
to Ansible Project
Sorry I started a discussion on this before seeing this one : https://groups.google.com/d/msg/ansible-project/TZoUZUPO5no/6ZOxMmF3BQAJ
Yes I mean to restrict (with sudoes configuration or something else) on the OS side, the command the user can execute but still allow ansible to execute.
We are using ansible for code deployment and there is a single task which needs become privilege : nginx reload.
So except the NOPASSWD settings, is there any other solution ? If not it seems to me it is a big drawback on Ansible to be used as code shipping tools.
Reply all
Reply to author
Forward
0 new messages