On the remote server client-01
If I log in as user foo I can see that sudo is not giving me access to
create file /etc/testfile and that user bar does.
This looks like a configuration issue with sudo for user foo.
[root@client-01 ~]# *su - foo*
[foo@client-01 ~]$ *sudo -l*
[sudo] password for foo:
User foo may run the following commands on this host:
(bar) ALL
[foo@client-01 ~]$ *sudo touch /etc/testfile*
Sorry, user foo is not allowed to execute '/bin/touch /etc/testfile' as
root on client-01.
[foo@client-01 ~]$ *exit*
logout
[root@client-01 ~]# *su - bar*
[bar@client-01 ~]$ *sudo -l*
User bar may run the following commands on this host:
(ALL) NOPASSWD: ALL
[bar@client-01 ~]$ *sudo touch /etc/testfile*
[bar@client-01 ~]$ *sudo rm /etc/testfile*
[bar@client-01 ~]$ *exit*
logout
So, user bar can run commands as the root user and user foo can not.
But, I can not connect as user bar because the only account with SSH keys
setup is user foo.
How do other people handle the SSH user and the user with root sudo access
being different?
Does everyone use the same user account on remote servers for the SSH
connection and the sudo as root user?
Thanking you for your time.
On Thursday, 15 January 2015 17:14:44 UTC, Brian Coca wrote:
>
> first, the following line shows you should not need a password for
> doing sudo as 'foo'
> >foo ALL=(bar) NOPASSWD: ALL
>
> In your command you are implying a double sudo while ansible only does
> one.
>
> ansible can connect as a remote user 'foo' and then use sudo to run a
> command as another user 'bar', to have that command also be sudo, you
> need to add that yourself, or allow 'foo' to sudo as root.
>
> for example, i believe this is what you want (with your inventory
> configured for remote user being 'foo' and sudo user being 'bar':
>
> ansible client-01 -m raw -a "sudo touch /etc/testfile"
>
> except it won't work, as ansible won't prompt you for the sudo
> password for 'bar' only for 'foo', which does not need one, but the
> reverse would work.
>
> foo ALL=(bar) ALL
> bar ALL=(ALL) NOPASSWD: ALL
>
> with this ansible can use the password prompt for 'foo' and then you
> can sudo to root from bar w/o a password.
>
> --
> Brian Coca
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/7cb1ff01-e00a-4d64-be0f-0688fd58013d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
