Privilege escalation
140 views
Skip to first unread message
Iohannes Nerevar
Mar 1, 2024, 10:40:58 AM3/1/24
to rundeck-discuss
Hi,
I generate the nodes via the Ansible inventory. No problem there.
I configure my node source as follows:
On the Default Node Executor side, like this (all other values are empty) :
When executing a command (from the right-hand menu), it works correctly with a simple command (date):
However, as soon as a command or privilege elevation is required, it doesn't work:
Similarly, if I try from a playbook
My target server has a rundeck user and is sudoers.
Any ideas?
Any ideas?
Thanks
rac...@rundeck.com
Mar 1, 2024, 10:46:57 AM3/1/24
to rundeck-discuss
Hi,
Does it work if the user has configured as "nopasswd" user at the moment to do the sudo command? Could you try that? This could be a bug.
Also, did you try directly on ansible?
Regards.
Iohannes Nerevar
Mar 4, 2024, 4:07:54 AM3/4/24
to rundeck-discuss
Hi,
Same from ansible.
I set the user to "nopasswd" in /etc/sudeors and configured my nodes as follows (part of the previous configuration is no longer there) :
It works like that, but I don't find it to be safe in terms of security.
Iohannes Nerevar
Mar 4, 2024, 4:09:04 AM3/4/24
to rundeck-discuss
Iohannes Nerevar
Mar 4, 2024, 4:20:56 AM3/4/24
to rundeck-discuss
It also works with this configuration but as soon as I remove "nopasswd" in sudoers, it no longer works
rac...@rundeck.com
Mar 4, 2024, 9:03:41 AM3/4/24
to rundeck-discuss
Iohannes Nerevar
Mar 5, 2024, 5:52:37 AM3/5/24
to rundeck-discuss
In the service.log I find this just before running the job:
/usr/lib/python3.10/getpass.py:91: GetPassWarning: Can not control echo on the terminal.
passwd = fallback_getpass(prompt, stream)
Warning: Password input may be echoed.
SSH password:
Warning: Password input may be echoed.
BECOME password[defaults to SSH password]:
PLAY [all] *********************************************************************
TASK [Ensure tmpdir data directory] ********************************************
changed: [SERVER -> localhost]
TASK [Template the gathered facts] *********************************************
passwd = fallback_getpass(prompt, stream)
Warning: Password input may be echoed.
SSH password:
Warning: Password input may be echoed.
BECOME password[defaults to SSH password]:
PLAY [all] *********************************************************************
TASK [Ensure tmpdir data directory] ********************************************
changed: [SERVER -> localhost]
TASK [Template the gathered facts] *********************************************
changed: [SERVER -> localhost]
PLAY RECAP *********************************************************************
SERVER : ok=2 changed=2 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
And when executing the job:
ERROR node.NodeStepPluginAdapter - Error executing node step.
com.dtolabs.rundeck.core.execution.workflow.steps.node.NodeStepException: ERROR: Ansible execution returned with non zero code.
at com.rundeck.plugins.ansible.plugin.AnsiblePlaybookWorflowNodeStep.executeNodeStep(AnsiblePlaybookWorflowNodeStep.java:95) ~[?:?]
at com.dtolabs.rundeck.core.execution.workflow.steps.node.NodeStepPluginAdapter.executeNodeStep(NodeStepPluginAdapter.java:169) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.ExecutionServiceImpl.executeNodeStep(ExecutionServiceImpl.java:207) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.dispatch.SequentialNodeDispatcher.dispatch(SequentialNodeDispatcher.java:130) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.dispatch.SequentialNodeDispatcher.dispatch(SequentialNodeDispatcher.java:61) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.ExecutionServiceImpl.dispatchToNodesWith(ExecutionServiceImpl.java:263) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.ExecutionServiceImpl.dispatchToNodes(ExecutionServiceImpl.java:234) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.workflow.steps.NodeDispatchStepExecutor.executeWorkflowStep(NodeDispatchStepExecutor.java:66) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.ExecutionServiceImpl.executeStep(ExecutionServiceImpl.java:111) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.workflow.BaseWorkflowExecutor.executeWFItem(BaseWorkflowExecutor.java:285) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.workflow.BaseWorkflowExecutor.executeWorkflowStep(BaseWorkflowExecutor.java:681) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.workflow.engine.StepCallable.apply(StepCallable.java:71) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.workflow.engine.StepOperation.apply(StepOperation.java:76) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.workflow.engine.StepOperation.apply(StepOperation.java:32) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.rules.WorkflowEngineOperationsProcessor.lambda$beginOperation$1(WorkflowEngineOperationsProcessor.java:323) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.google.common.util.concurrent.TrustedListenableFutureTask$TrustedFutureInterruptibleTask.runInterruptibly(TrustedListenableFutureTask.java:131) [guava-32.0.1-jre.jar!/:?]
at com.google.common.util.concurrent.InterruptibleTask.run(InterruptibleTask.java:75) [guava-32.0.1-jre.jar!/:?]
at com.google.common.util.concurrent.TrustedListenableFutureTask.run(TrustedListenableFutureTask.java:82) [guava-32.0.1-jre.jar!/:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
at java.lang.Thread.run(Thread.java:829) [?:?]
[2024-03-05T11:46:56,700] ERROR services.ExecutionUtilService - Execution failed: 191 in project Ansible: [Workflow result: , step failures: {1=Dispatch failed on 1 nodes: [SERVER: AnsibleNonZero: ERROR: Ansible execution returned with non zero code. + {dataContext=MultiDataContextImpl(map={}, base=null)} ]}, Node failures: {SERVER=[AnsibleNonZero: ERROR: Ansible execution returned with non zero code. + {dataContext=MultiDataContextImpl(map={}, base=null)} ]}, status: failed]
com.dtolabs.rundeck.core.execution.workflow.steps.node.NodeStepException: ERROR: Ansible execution returned with non zero code.
at com.rundeck.plugins.ansible.plugin.AnsiblePlaybookWorflowNodeStep.executeNodeStep(AnsiblePlaybookWorflowNodeStep.java:95) ~[?:?]
at com.dtolabs.rundeck.core.execution.workflow.steps.node.NodeStepPluginAdapter.executeNodeStep(NodeStepPluginAdapter.java:169) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.ExecutionServiceImpl.executeNodeStep(ExecutionServiceImpl.java:207) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.dispatch.SequentialNodeDispatcher.dispatch(SequentialNodeDispatcher.java:130) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.dispatch.SequentialNodeDispatcher.dispatch(SequentialNodeDispatcher.java:61) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.ExecutionServiceImpl.dispatchToNodesWith(ExecutionServiceImpl.java:263) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.ExecutionServiceImpl.dispatchToNodes(ExecutionServiceImpl.java:234) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.workflow.steps.NodeDispatchStepExecutor.executeWorkflowStep(NodeDispatchStepExecutor.java:66) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.ExecutionServiceImpl.executeStep(ExecutionServiceImpl.java:111) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.workflow.BaseWorkflowExecutor.executeWFItem(BaseWorkflowExecutor.java:285) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.workflow.BaseWorkflowExecutor.executeWorkflowStep(BaseWorkflowExecutor.java:681) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.workflow.engine.StepCallable.apply(StepCallable.java:71) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.workflow.engine.StepOperation.apply(StepOperation.java:76) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.workflow.engine.StepOperation.apply(StepOperation.java:32) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.rules.WorkflowEngineOperationsProcessor.lambda$beginOperation$1(WorkflowEngineOperationsProcessor.java:323) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.google.common.util.concurrent.TrustedListenableFutureTask$TrustedFutureInterruptibleTask.runInterruptibly(TrustedListenableFutureTask.java:131) [guava-32.0.1-jre.jar!/:?]
at com.google.common.util.concurrent.InterruptibleTask.run(InterruptibleTask.java:75) [guava-32.0.1-jre.jar!/:?]
at com.google.common.util.concurrent.TrustedListenableFutureTask.run(TrustedListenableFutureTask.java:82) [guava-32.0.1-jre.jar!/:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
at java.lang.Thread.run(Thread.java:829) [?:?]
[2024-03-05T11:46:56,700] ERROR services.ExecutionUtilService - Execution failed: 191 in project Ansible: [Workflow result: , step failures: {1=Dispatch failed on 1 nodes: [SERVER: AnsibleNonZero: ERROR: Ansible execution returned with non zero code. + {dataContext=MultiDataContextImpl(map={}, base=null)} ]}, Node failures: {SERVER=[AnsibleNonZero: ERROR: Ansible execution returned with non zero code. + {dataContext=MultiDataContextImpl(map={}, base=null)} ]}, status: failed]
Reply all
Reply to author
Forward
0 new messages