*Hi Luca, thanks for replying. Here's the data you requested:*
*Here's the output of 'sudo -l' for user1:*
[user1@server1 ~]$ sudo -l
Matching Defaults entries for user1 on server1:
!visiblepw, always_set_home, match_group_by_gid,
always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME
HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG
LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User user1 may run the following commands on server1:
(ALL) NOPASSWD: /bin/su - admin1
[user1@server1 ~]$
*And here's it for admin1 user:*
[admin1@server1 ~]$ sudo -l
Matching Defaults entries for admin1 on server1:
!visiblepw, always_set_home, match_group_by_gid,
always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME
HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG
LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User admin1 may run the following commands on server1:
(ALL) NOPASSWD: ALL, !/bin/sh, !/bin/ksh, !/bin/bash, !/bin/zsh,
!/bin/csh, !/bin/tcsh, !/usr/bin/login, !/usr/bin/su,
!/etc/sudoers, !/bin/su, !/usr/sbin/visudo, !/sbin/shutdown,
!/sbin/reboot, !/sbin/init, !/usr/bin/shutdown -h now,
!/usr/bin/halt, !/usr/bin/poweroff, !/usr/bin/mount -o
nosuid\,nodev\,noexec, !/usr/bin/umount, !/sbin/fdisk,
!/usr/sbin/format, !/usr/bin/dd, !/usr/bin/rlogin,
!/etc/init.d/iptables, !/usr/bin/exportfs, !/sbin/pvs, !/sbin/lvs,
!/sbin/vgs, !/sbin/pvscan, !/sbin/pvscan, !/sbin/vgscan,
!/sbin/lvscan, !/sbin/lvdisplay, !/sbin/vgdisplay,
!/sbin/pvdisplay, !/usr/bin/ifenslave, !/usr/bin/ethtool,
!/usr/sbin/tcpd, !/usr/sbin/dump, !/usr/sbin/rdump,
!/usr/sbin/restore, !/usr/sbin/rrestore, !/usr/bin/mt,
!/usr/bin/journalctl, !/usr/bin/netctl, !/usr/sbin/syslogd,
!/usr/bin/finger, !/usr/bin/tty
[admin1@server1 ~]$
--
Thanks,
Zayed.
On Wednesday, May 13, 2020 at 9:41:15 PM UTC+6, Zayed Mahmud wrote:
>
> Hi all,
>
> I have a target server where I have a user, *user1*, who can become
> another privileged user, *admin1*, without password.and admin1 can run
> any command with sudo, like "sudo ls /root" --> works.
>
> So from remote server I can do this:
> *[user1@server1~]$ sudo su - admin1 *--> successful
> *[admin1@server1~]$ sudo ls -l /root/* --> successful
>
> Now, if I try this from ansible, it doesn't work, note that I do not need
> password to become admin1 from user1 user.
>
> Tried this, failed, while connecting to server1 as user1:
> *$ ansible -i hosts server1 -m shell -a "ls /root/" --become-user admin1
> --become-method sudo -b*
>
> I receive error like:
>
> <192.168.10.10> ssh_retry: attempt: 5, caught exception(Missing sudo
> password) from cmd (['ssh', '-vvv', '-C', '-o', 'ControlMaster=auto', '-o',
> 'ControlPersist=60s', '-o', 'StrictHostKeyChecking=no', '-o', 'Port=22',
> '-o', 'IdentityFile="/home/user1/ansible-env/user1"', '-o',
> 'KbdInteractiveAuthentication=no', '-o',
> 'PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey',
> '-o', 'PasswordAuthentication=no', '-o', 'User="user1"', '-o',
> 'ConnectTimeout=10', '-o',
> 'ControlPath=/home/user1/.ansible/cp/e81f1307f9', '-tt', '192.168.10.10',
> '/bin/sh -c \'sudo -H -S -n -u mygpadmin /bin/sh -c \'"\'"\'echo
> BECOME-SUCCESS-prgmplogeczegkatiwtdoyhjtxaphgrv ; /usr/bin/python
> /var/tmp/ansible-tmp-1589381399.57-2262637800948/AnsiballZ_command.py\'"\'"\'
> && sleep 0\'']...), pausing for 15 seconds
> <192.168.10.10> SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o
> ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o
> 'IdentityFile="/home/user1/ansible-env/user1"' -o
> KbdInteractiveAuthentication=no -o
> PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey
> -o PasswordAuthentication=no -o 'User="user1"' -o ConnectTimeout=10 -o
> ControlPath=/home/user1/.ansible/cp/e81f1307f9 -tt 192.168.10.10 '/bin/sh
> -c '"'"'sudo -H -S -n -u mygpadmin /bin/sh -c '"'"'"'"'"'"'"'"'echo
> BECOME-SUCCESS-prgmplogeczegkatiwtdoyhjtxaphgrv ; /usr/bin/python
> /var/tmp/ansible-tmp-1589381399.57-2262637800948/AnsiballZ_command.py'"'"'"'"'"'"'"'"'
>
> && sleep 0'"'"''
> Escalation requires password
>
> How can I resolve this issue if I want to become another and run command
> with sudo using ansible/ansible-playbook but without using password. As
> user1, I can run all commands user1 is allowed to.
>
>
> Thanks.
>
> - Zayed.
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/87120d11-f747-47b5-ad0d-50ce7c872338%40googlegroups.com.
