6

I have a server where my user is able to sudo to the root user without a password, and then the root user can sudo to a third user without a password. However, my user cannot sudo directly to the third user without a password.

Ansible's become directive uses sudo in the traditional manner, i.e. the one that requires prompting for my password.

I've tried putting become_user: root on a block and become_user: <other-user> on a task inside that block, but it appears Ansible overrides the block's definition, rather than nesting the sudo calls as I hoped.

Note: this question has also been asked on StackOverflow, but since there's no solution I figured I would repost it here, which I think is the better site for it.

Xiong Chiamiov
  • 2,781
  • 1
  • 8
  • 29

4 Answers4

2

I met the same situation. I have login1 for my machine, passwordless sudo and login2, under which I should perform some actions. I did not solve it by ansible means. But I made such a workaround:

- name: "Install nvm"
  shell: sudo -u buildkite-agent bash -c "<my commands to be performed on behalf of buildkite-agent>"
  become: true

Such a case:

- name: "Install nvm"
  shell: sudo -u buildkite-agent <my commands to be performed on behalf of buildkite-agent>
  become: true

do not change home to buildkite-agent's home, i.e. uses /root as home.

chicks
  • 1,848
  • 1
  • 12
  • 29
Dzenly
  • 121
  • 3
1

Become super user at the play level and become another user at the task level:

- hosts: all
  become: yes
  tasks:

    - file:
        path: /tmp/test
        state: touch
      become_user: www-data

Validation:

$ ls -l /tmp | grep test
-rw-r--r-- 1 www-data www-data    0 Mär 10 14:08 test

For very simple cases, a workaround like the following could also help, but this doesn't really scale, as you cannot use ansible modules with this strategy:

- name: test
  command: "sudo -u www-data whoami"
  become: true

Output (extract): "stdout": "www-data"

Vincenzo Pii
  • 381
  • 1
  • 4
  • I tried your first suggestion (as well as a similar thing with a block), but it appears Ansible overrides the commands rather than nesting them (so it essentially replaces sudo -u root with sudo -u www-data, rather than nesting them to create sudo -u root sudo -u www-data). I think that manual adjustments using command/shell and careful permissioning with the files module is the only way this is possible currently in Ansible. – Xiong Chiamiov Mar 12 '18 at 21:37
  • @XiongChiamiov, strange, that worked for me (as you can see from the ls -l /tmp command). I am using ansible 2.4.2.0. But, don't you have passwordless sudo for your ansible_user? – Vincenzo Pii Mar 13 '18 at 12:27
  • The ansible_user has passwordless sudo to the root account, but not to the tertiary account (www-data in your example). – Xiong Chiamiov Mar 19 '18 at 16:36
0

What I did that worked for me :

- name: launch pg_ctl start
  command: "su <USER> -l -c '<COMMAND>'"
  become: yes
  become_exe: sudo

PS : With su -l, it automatically load the .bash_profile and not the .bashrc

Thronghar
  • 101
  • 1
-1

For example you want to create a file you can use :

 name: Create file
 shell: "touch abc"
 become_user: <username>
 become: yes

This is equivalent to :: sudo su username -c "touch abc"

user7155093
  • 16
  • 1
  • 2
    No, it's equivalent to "sudo -u username", which as stated in the question is slightly but importantly different. – Xiong Chiamiov Mar 12 '18 at 16:47
  • When you run the above mentioned Ansible, the file abc will be created by user mentioned in the username variable – user7155093 Mar 12 '18 at 17:05
  • Right, but you're missing the main point of the question, which is that the sudoers configuration does not allow the default ansible user to sudo directly to the final user. – Xiong Chiamiov Mar 12 '18 at 21:33