Re: [ansible-project] Allowed specific commands with NOPASSWD in sudoers file, Ansible complains...
Sorry I started a discussion on this before seeing this one : https://groups.google.com/d/msg/ansible-project/TZoUZUPO5no/6ZOxMmF3BQAJ Yes I mean to restrict (with sudoes configuration or something else) on the OS side, the command the user can execute but still allow ansible to execute. We are using ansible for code deployment and there is a single task which needs become privilege : nginx reload. So except the NOPASSWD settings, is there any other solution ? If not it seems to me it is a big drawback on Ansible to be used as code shipping tools. On Friday, January 27, 2017 at 2:41:34 PM UTC+1, Johannes Kastl wrote: > > On 26.01.17 19:11 Jonathan Bouzekri wrote: > > > Is there any progress on this feature? is it available in the > > latest version of ansible? More specifically on the service module > > (for example to allow reloading of specific services) > > As you don't quote what you are talking about I can only assume the > title is what you are after. > > No, ansible needs to run something like "sudo -H -S -n -u root > /bin/bash" to work. You might set that to NOPASSWD, but it just means > you allow the ansible user everything. > > Johannes > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/3a57a456-40e8-484a-9b38-1e4fbd61e4ed%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ansible-project] Allowed specific commands with NOPASSWD in sudoers file, Ansible complains...
On 26.01.17 19:11 Jonathan Bouzekri wrote: > Is there any progress on this feature? is it available in the > latest version of ansible? More specifically on the service module > (for example to allow reloading of specific services) As you don't quote what you are talking about I can only assume the title is what you are after. No, ansible needs to run something like "sudo -H -S -n -u root /bin/bash" to work. You might set that to NOPASSWD, but it just means you allow the ansible user everything. Johannes -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/84950170-74c3-5d19-415a-9568218b0b09%40ojkastl.de. For more options, visit https://groups.google.com/d/optout. signature.asc Description: OpenPGP digital signature
Re: [ansible-project] Allowed specific commands with NOPASSWD in sudoers file, Ansible complains...
Hi Is there any progress on this feature? is it available in the latest version of ansible? More specifically on the service module (for example to allow reloading of specific services) Thanks -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/5e5fbad1-cf00-4c5c-aad6-f943ef7e1474%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ansible-project] Allowed specific commands with NOPASSWD in sudoers file, Ansible complains...
So that's a security bug then. The point of sudo is to enable fine-grained control rather than just granting root access to everything. Ansible needs to be upgraded to only SUDO the expected commands rather than an entire script that does other things that are not visible. This is the same as https://github.com/ansible/ansible/issues/13077 So I guess you get this question a lot. On Monday, November 9, 2015 at 11:00:52 PM UTC, Brian Coca wrote: > > no, the issue is that ansible does not support fine grained sudo > permissions, it executes a python file which might execute the > commands you see, but the sudo wraps the entire thing, not just the > command. > > > > -- > Brian Coca > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/c7067524-43ce-4c2e-9ac6-6436c786668d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ansible-project] Allowed specific commands with NOPASSWD in sudoers file, Ansible complains...
The purpose of sudo is to allow for privilege escalation, the fine grained escalation is a feature. The way ansible works currently requires arbitrary commands specs, this is not a bug, but it is a limitation. This won't work for all environments, specifically those that only allow specific commands. This is a feature we want to add, but it won't work with all modules, it would only work with modules that shell out to run commands. For example, if a module changes ownership of a file using the python/perl/ruby function to do so, it would not work with `/bin/chmod` permissions in sudoers as they will be making a system call and not running a command. -- Brian Coca -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAJ5XC8kv-904WzX-2viPM2jWk5c4SD2pJovGD7nMp0jLTtekZA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[ansible-project] Allowed specific commands with NOPASSWD in sudoers file, Ansible complains...
Right now, sudo does not require a password. I edited my sudoers file so that it requires a password for everything except a few commands which Ansible runs during a deployment (using the ansible 'command' plugin). However, when Ansible tries to run this command with sudo:true, I get the "Missing become password" error. I can sudo this command without a password while logged in to the machine no problem, so it seems my sudoers file is correctly working. Looks like Ansible is maybe doing some internal "does sudo require a password" check prior? -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/df56193e-7b83-4c17-86a7-dc2eeb70d3ad%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ansible-project] Allowed specific commands with NOPASSWD in sudoers file, Ansible complains...
no, the issue is that ansible does not support fine grained sudo permissions, it executes a python file which might execute the commands you see, but the sudo wraps the entire thing, not just the command. -- Brian Coca -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAJ5XC8nmpnYjGRPnzyitMc8XXTNyhvezpx8xZz%3D3MAgnCri%2BuA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.