Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

Problem with sudo su user

133 views
Skip to first unread message

Jakub Zieliński

unread,
May 12, 2016, 1:10:44 PM5/12/16
to Ansible Project

In sudoers file I have only (can't change it)
%user ALL=(ALL) NOPASSWD: /bin/su - jboss


How can I sudo to jboss and then run some command?
I tried something like
- become: yes
    become_user: "jboss"
    raw: "touch test"
or
raw: "sudo su - jboss -c touch test"
but always ended:
Sorry, user is not allowed to execute 'command' as jboss

Johannes Kastl

unread,
May 14, 2016, 4:01:26 PM5/14/16
to ansible...@googlegroups.com
On 12.05.16 13:51 Jakub Zieliński wrote:

> How can I sudo to jboss and then run some command?

This is being asked frequently, and AFAIK the only answer is:

You can't.

Ansible stuffs a lot of voodoo around the actual commands, so it needs
your ansible_user to have NOPASSWD set for all commands.

Workaround:
You can store the become_pass in an ansible-vault-encrypted file, so
it can be given when sudo asks for it. This means your ansible_user
has to have the ability to issue all kinds of commands via sudo with
being asked for the password.

Johannes

signature.asc

Brian Coca

unread,
May 16, 2016, 5:52:59 PM5/16/16
to ansible...@googlegroups.com
The problem here is that ansible does not support chaining privilege escalation methods (sudo OR su, not both).

%user ALL=(jboss) NOPASSWD: ALL

or 

%user ALL=(jboss) ALL

would allow you to use sudo, or if you have the jboss user password you can use 'su', but Ansible cannot use the combination of the 2. Sadly this is a common pattern even though it is not needed as sudo can give you the same functionality w/o chaning su (as shown above).

On Sat, May 14, 2016 at 4:01 PM, Johannes Kastl <ma...@ojkastl.de> wrote:
Ansible stuffs a lot of voodoo around the actual commands, so it needs
your ansible_user to have NOPASSWD set for all commands.

​This is incorrect, you CAN have a sudo/su password​, the problem is not with that but the fact that you are stacking the methods.

 
----------
Brian Coca

Johannes Kastl

unread,
May 17, 2016, 2:03:29 PM5/17/16
to ansible...@googlegroups.com
On 16.05.16 23:52 Brian Coca wrote:

> On Sat, May 14, 2016 at 4:01 PM, Johannes Kastl <ma...@ojkastl.de> wrote:
>
>> Ansible stuffs a lot of voodoo around the actual commands, so it needs
>> your ansible_user to have NOPASSWD set for all commands.
>>
>
> ​This is incorrect, you CAN have a sudo/su password​, the problem is not
> with that but the fact that you are stacking the methods.

I am sorry, I was unclear. I meant if you want *passwordless* sudo,
you need it for all commands, not just for some.

Of course sudo with prompting for the password (which can be supplied
in a lot of ways) works.

Johannes


signature.asc
Reply all
Reply to author
Forward
0 new messages