As @BrianCoca mentioned, I am afraid I need unrestricted sudo access to run
Ansible.
>From the docs is kinda hard to understand
that:
https://docs.ansible.com/ansible/latest/user_guide/become.html#can-t-limit-escalation-to-certain-commands
It might be just me, but I do no quite get it
On Friday, 28 September 2018 20:39:24 UTC+3, Nicola Apicella wrote:
>
> It does have sudo access, but it is restricted, namely it cannot use exec
> */bin/sh.*
> So if I do:
> *napicella@localhost > ssh blablahost*
> *napicella@blalahost> sudo cp /tmp/a > /etc/yum.repos.d/a *
>
> This works as expected, what it does not work is:
>
> *napicella@blalahost> sudo /bin/bash -c 'cp /tmp/a > /etc/yum.repos.d/a'*
> *Sorry user napicella is not allowed to execute /bin/bash .....*
>
> which appears to be exactly what Ansible does when the *become* property
> is set in the playbook task
>
> On Friday, 28 September 2018 20:32:25 UTC+3, Karthik Chandrashekar wrote:
>>
>> Well, is that user been given sudo rights on remote machine if so, Could
>> you check if you are able to login as that user and execute the same task
>> manually without ansible.
>>
>> On Friday, September 28, 2018 at 10:58:44 PM UTC+5:30, Nicola Apicella
>> wrote:
>>>
>>> I am running the playbook without specifying an user:
>>>
>>>
>>> *ansible-playbook --ask-become-pass -vvv test-playbook*
>>> Running the command with -u flag does not change the error:
>>>
>>> *ansible-playbook -u napicella --ask-become-pass -vvv test-playbook*
>>>
>>> where *napicella *is an user on both the local machine and the remote
>>> one
>>>
>>> On Friday, 28 September 2018 20:08:28 UTC+3, Karthik Chandrashekar wrote:
>>>>
>>>> What is the username you are trying to connect as ?
>>>>
>>>> On Friday, September 28, 2018 at 10:06:32 PM UTC+5:30, Nicola Apicella
>>>> wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> I am sorry for the newbie question, I ve just started looking into
>>>>> Ansible but I did not find any info in the docs or anywhere else that
>>>>> could
>>>>> help me find a resolution.
>>>>> I have a bunch of hosts on which I have sudo access.
>>>>> *>sudo whoami*
>>>>> *root*
>>>>>
>>>>> But I do not have permission to run
>>>>> *> sudo /bin/sh -c echo "Hello!"*
>>>>> *Sorry, user some-user is not allowed to execute '/bin/sh -c echo
>>>>> Hello world' as root on blabahost.*
>>>>>
>>>>> This is blocking me from executing a simple playbook which copies
>>>>> files under */etc/yum.repos.d*
>>>>> The playbook like this:
>>>>>
>>>>> *---*
>>>>> *- name: test-pl*
>>>>> * hosts: blablahost*
>>>>>
>>>>> * tasks:*
>>>>> * - name: test*
>>>>> * become: yes*
>>>>> * become_method: sudo*
>>>>> * copy:*
>>>>> * content: ""*
>>>>> * dest: /etc/yum.repos.d/a*
>>>>> * force: no*
>>>>> * group: root*
>>>>> * owner: root*
>>>>> * mode: 0555*
>>>>>
>>>>> The error I get is basically the same one mentioned above. My user is
>>>>> not allowed to execute */bin/sh *as root.
>>>>>
>>>>> blablahost | FAILED! => {
>>>>> "changed": false,
>>>>> "module_stderr": "Shared connection to blablahost closed.\r\n",
>>>>> "module_stdout": "\r\nSorry, user some-user is not allowed to
>>>>> execute '/bin/sh -c echo BECOME-SUCCESS-rhzefxcamynrooqcpyqppdiqvzlqbmyt;
>>>>> /usr/bin/python
>>>>> /home/some-user/.ansible/tmp/ansible-tmp-1538151353.33-57836367165837/command.py'
>>>>>
>>>>> as root on blablahost.\r\n",
>>>>> "msg": "MODULE FAILURE",
>>>>> "rc": 1
>>>>> }
>>>>>
>>>>> The problem could be fixed if Ansible would allow to start the bash as
>>>>> a normal user and then run the copy command with *sudo.*
>>>>> Basically, avoiding executing */bin/sh *as root.
>>>>> Are you aware of a workaround for this case? Or am I missing something?
>>>>>
>>>>>
>>>>> Thanks in advance.
>>>>> -Nicola
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/253607a8-00c5-40f8-874a-dda7e17ae8c7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
