<https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_privilege_escalation.html#privilege-escalation-must-be-general> Understanding privilege escalation: become — Ansible Documentation<https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_privilege_escalation.html#privilege-escalation-must-be-general> docs.ansible.com<https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_privilege_escalation.html#privilege-escalation-must-be-general> [favicon.ico]<https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_privilege_escalation.html#privilege-escalation-must-be-general>
You cannot limit privilege escalation permissions to certain commands. Ansible does not always use a specific command to do something but runs modules (code) from a temporary file name which changes every time. Walter -- Walter Rowe, Division Chief Infrastructure Services, OISM Mobile: 202.355.4123 On Jan 24, 2023, at 8:01 AM, 'Rowe, Walter P. (Fed)' via Ansible Project <ansible-project@googlegroups.com> wrote: Aha! Good observation. Perhaps he should NOT "become: true" and instead include "sudo rootsh" as part of his command? Walter -- Walter Rowe, Division Chief Infrastructure Services, OISM Mobile: 202.355.4123 On Jan 24, 2023, at 7:51 AM, Todd Lewis <uto...@gmail.com> wrote: Something feels not quite right with that answer. You only got the "Timeout (12s) waiting for privilege escalation prompt" timeout when you used become_exe: "sudo rootsh", which of course will never work because there is no executable named "sudo rootsh". The other times, you were just disconnected. I believe this wasn't because it expected no-password sudo to work, but rather because testuser has only a limited set of commands it's allowed to run under sudo. These were listed in the output of "sudo -l" previously. One thing you might try is setting "become_flags: rootsh". I know it's not really a flag, but we're trying to get sudo to run rootsh — I'm guessing, based on what you showed us already. I don't really expect it to work, but its failure may provide more information. More generally, to do Ansible right, your connecting user needs sudo capability to run any command, regardless of whether a sudo password is required. There are four distinct issues that must be considered: connection, privilege escalation, authorization, and execution. Any of those may have distinct authentication components. It can be difficult to discern which one is thwarting success. On Monday, January 23, 2023 at 8:35:20 AM UTC-5 saravan....@gmail.com wrote: Yes Walter, you are right. I am passing the root password ( --ask-become-pass ) as part of the ansible playbook execution cmd. Here my ssh user pwd and root pwd are the same. ansible-playbook -i hosts testroot.yaml -e "host=host.iil.corp.com<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhost.iil.corp.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C94ea9f0f994c485317eb08dafe0b2063%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638101620985812625%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=b4HllpmeedKcukb48Hd%2FV18Ha0m2kTiYR7bAjR10ta8%3D&reserved=0>" --ask-become-pass -k [DEPRECATION WARNING]: Ansible will require Python 3.8 or newer on the controller starting with Ansible 2.12. Current version: 3.6.15 (default, Sep 15 2021, 14:20:42) [GCC]. This feature will be removed from ansible-core in version 2.12. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg. SSH password: BECOME password[defaults to SSH password]: On Mon, Jan 23, 2023 at 6:52 PM 'Rowe, Walter P. (Fed)' via Ansible Project <ansible...@googlegroups.com> wrote: Authenticate with testuser's password: THIS .. you had to authenticate .. the ansible playbook is also "waiting to authenticate" the sudo for testuser (become: true). That is timing out because it expects to have sudo rights without requiring a password. Walter -- Walter Rowe, Division Chief Infrastructure Services, OISM Mobile: 202.355.4123<tel:(202)%20355-4123> On Jan 23, 2023, at 7:20 AM, saravanan jothilingam <saravan....@gmail.com> wrote: Hi, I get this output when I run 'sudo -l'. I used ansible_user=testuser in the host inventory file to connect to the remote server. testhost> sudo -l Subject to Corporate's Global Employee and Global Contingent Worker Privacy Notices (see https://employeecontent.Corporate.com/content/corp/Global_Employee_and_Global_Contingent_Worker_Privacy.html<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Femployeecontent.corporate.com%2Fcontent%2Fcorp%2FGlobal_Employee_and_Global_Contingent_Worker_Privacy.html&data=05%7C01%7Cwalter.rowe%40nist.gov%7C94ea9f0f994c485317eb08dafe0b2063%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638101620985812625%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Da2FZcERPjNs%2B7Il2cyI1CSLPxpAclu1%2FmLb0IMR828%3D&reserved=0> ) all system access and delegated/privileged activity on the Corporate network may be logged for auditing and security purposes, including your username and commands used. Log records may be retained for up to 1 year. We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. Remember you may use 'sudo -l' to review a list of authorized commands. Authenticate with testuser's password: Matching Defaults entries for testuser on testhost: syslog=local3, !set_home, !targetpw, !insults, mailto=alert-sudo, !mail_always, ignore_dot, timestamp_timeout=5, listpw=always, !lecture_file, passprompt="Authenticate with %u's password: ", always_set_home, !env_reset, umask_override, !root_sudo, !tty_tickets, fqdn, listpw=always, env_delete+=USER_ITOOLS, env_delete+=PROJECT_ITOOLS, env_delete+=KRB5CCNAME, env_delete+=XAUTHORITY, lecture=always, lecture_file=/nfs/site/gen/adm/ec_global/sudo.lecture, passprompt="Authenticate with %u's password: ", always_set_home, !env_reset, umask_override, !root_sudo, !tty_tickets, fqdn, listpw=always, env_delete+=USER_ITOOLS, env_delete+=PROJECT_ITOOLS, env_delete+=KRB5CCNAME User testuser may run the following commands on testhost: (root) /usr/Corporate/bin/rootsh, /usr/Corporate/bin/rootsh2, /usr/Corporate/bin/rootsh1 (root) NOPASSWD: /usr/Corporate/common/pkgs/vas-helper/1.0/exe/*/idchange (root) NOPASSWD: /usr/Corporate/common/pkgs/vas-helper/1.0/bin/krb-helper (root) /bin/cat /var/log/messages, /usr/bin/cat /var/log/messages, /bin/dmesg (kerberostest) NOPASSWD: /usr/bin/sudo /bin/date, /usr/bin/sudo -l, /usr/Corporate/bin/sudo /bin/date, /usr/Corporate/bin/sudo -l (root) NOPASSWD: /nfs/iil/gen/adm/netbatch/util/nbconfig/nbconfig (root) NOPASSWD: /nfs/iil/gen/adm/nbtools/bin/nblock.pl<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fnblock.pl%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C94ea9f0f994c485317eb08dafe0b2063%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638101620985812625%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=DHWtHz4A%2Fv5e6nL8%2B3L2bi6gTH6g1JY21wDhdScxxPQ%3D&reserved=0> (root) NOPASSWD: /nfs/iil/local/common/bin/lsdir.amd (root) NOPASSWD: /usr/local/common/bin/lsdir.amd (profusr) NOPASSWD: /nfs/site/gen/itec/profiling/utils/profiler/profiler_post, /nfs/site/gen/itec/profiling/utils/profiler/benchmarking_post (root) NOPASSWD: /usr/Corporate/common/pkgs/acctusers/CURRENT/bin/acctusers (root) NOPASSWD: /usr/Corporate/common/pkgs/acctusers/1.1/bin/acctusers (root) /nfs/site/gen/adm/ec_global/customerSudo/SLES12SP2upgrader.sh (root) NOPASSWD: /nfs/site/gen/adm/emulation/Global/scripts/virt_modules/startVirt.sh, /p/emulation/virt_modules/startVirt.sh, /p/emulation/virt_modules/start_virt (root) NOPASSWD: /usr/Corporate/common/pkgs/vas-helper/1.0/bin/krb-helper (root) NOPASSWD: /usr/Corporate/common/pkgs/vas-helper/1.0/exe/*/idchange testhost> On Mon, Jan 23, 2023 at 5:25 PM Todd Lewis <uto...@gmail.com> wrote: What's the output from sudo -l on that host (as per the task "Get current user on remote" message)? On 1/23/23 1:10 AM, saravanan jothilingam wrote: No luck :-( I tried this use case with 2 attempts. For both the cases, the password is not taken at the ansible playbook execution time. i get the below error msg. Note - In the ansible.cfg, i have set timeout = 300. Are there any extra parameters which I need to set here ? Attempt-1: cat testroot.yaml --- - hosts: '{{ host }}' gather_facts: yes tasks: - name: Get current user on remote ansible.builtin.shell: | whoami become: true register: out - debug: msg: "{{ out }}" vmansible01:/home/testuser/access_audit_automation_jan172023 # ansible-playbook -i hosts testroot.yaml -e "host=hostname.corp.domain.com<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhostname.corp.domain.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C94ea9f0f994c485317eb08dafe0b2063%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638101620985812625%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OOIs82XF6iXSyoYGkM4sm268n82KmbcGF%2FAF9Xiqadw%3D&reserved=0>" --ask-become-pass -k [DEPRECATION WARNING]: Ansible will require Python 3.8 or newer on the controller starting with Ansible 2.12. Current version: 3.6.15 (default, Sep 15 2021, 14:20:42) [GCC]. This feature will be removed from ansible-core in version 2.12. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg. SSH password: BECOME password[defaults to SSH password]: PLAY [hostname.corp.domain.com<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhostname.corp.domain.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C94ea9f0f994c485317eb08dafe0b2063%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638101620985812625%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OOIs82XF6iXSyoYGkM4sm268n82KmbcGF%2FAF9Xiqadw%3D&reserved=0>] ************************************************************************************************ TASK [Gathering Facts] ****************************************************************************************************** [WARNING]: Platform linux on host hostname.corp.domain.com<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhostname.corp.domain.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C94ea9f0f994c485317eb08dafe0b2063%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638101620985812625%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OOIs82XF6iXSyoYGkM4sm268n82KmbcGF%2FAF9Xiqadw%3D&reserved=0> is using the discovered Python interpreter at /usr/bin/python, but future installation of another Python interpreter could change the meaning of that path. See https://docs.ansible.com/ansible-core/2.11/reference_appendices/interpreter_discovery.html<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.ansible.com%2Fansible-core%2F2.11%2Freference_appendices%2Finterpreter_discovery.html&data=05%7C01%7Cwalter.rowe%40nist.gov%7C94ea9f0f994c485317eb08dafe0b2063%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638101620985812625%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=R%2Fx%2FueSd7YH8VBDGGlNkzFcVqLrUbYqXsyuNc3AmRCk%3D&reserved=0> for more information. ok: [hostname.corp.domain.com<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhostname.corp.domain.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C94ea9f0f994c485317eb08dafe0b2063%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638101620985812625%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OOIs82XF6iXSyoYGkM4sm268n82KmbcGF%2FAF9Xiqadw%3D&reserved=0>] TASK [Get current user on remote] ******************************************************************************************* fatal: [hostname.corp.domain.com<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhostname.corp.domain.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C94ea9f0f994c485317eb08dafe0b2063%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638101620985812625%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OOIs82XF6iXSyoYGkM4sm268n82KmbcGF%2FAF9Xiqadw%3D&reserved=0>]: FAILED! => {"changed": false, "module_stderr": "Shared connection to hostname.corp.domain.com<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhostname.corp.domain.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C94ea9f0f994c485317eb08dafe0b2063%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638101620985969883%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=zKxrVzYw9kfHLnc7EBF2Z3BjNZtCFcfiZNrUkpYrIc4%3D&reserved=0> closed.\r\n", "module_stdout": "Subject to Corp's Global Employee and Global Contingent Worker Privacy Notices\r\n(see https://employeecontent.corp.com/content/corp/Global_Employee_and_Global_Contingent_Worker_Privacy.html<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Femployeecontent.corp.com%2Fcontent%2Fcorp%2FGlobal_Employee_and_Global_Contingent_Worker_Privacy.html&data=05%7C01%7Cwalter.rowe%40nist.gov%7C94ea9f0f994c485317eb08dafe0b2063%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638101620985980556%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=evd7v%2BEcvLEFZybtsKWz1AHdcNyvDBqLzy%2BIWSlRR%2Bc%3D&reserved=0> )\r\nall system access and delegated/privileged activity on the Corp network\r\nmay be logged for auditing and security purposes, including your username \r\nand commands used. Log records may be retained for up to 1 year.\r\n\r\nWe trust you have received the usual lecture from the local System\r\nAdministrator. It usually boils down to these three things:\r\n\r\n #1) Respect the privacy of others.\r\n #2) Think before you type.\r\n #3) With great power comes great responsibility.\r\n\r\nRemember you may use 'sudo -l' to review a list of authorized commands.\r\n\r\n\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1} PLAY RECAP ****************************************************************************************************************** hostname.corp.domain.com<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhostname.corp.domain.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C94ea9f0f994c485317eb08dafe0b2063%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638101620985980556%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=mHStBYGxtfE0dFVRfuS1UPEkX7650RDD9s4FSa84gS4%3D&reserved=0> : ok=1 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Attempt-2: --- - hosts: '{{ host }}' gather_facts: yes tasks: - name: Get current user on remote ansible.builtin.shell: | whoami become: true become_method: sudo become_exe: "sudo rootsh" become_flags: -i register: out - debug: msg: "{{ out }}" ansible-playbook -i hosts testroot.yaml -e "host=hostname.corp.domain.com<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhostname.corp.domain.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C94ea9f0f994c485317eb08dafe0b2063%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638101620985980556%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=mHStBYGxtfE0dFVRfuS1UPEkX7650RDD9s4FSa84gS4%3D&reserved=0>" --ask-become-pass -k [DEPRECATION WARNING]: Ansible will require Python 3.8 or newer on the controller starting with Ansible 2.12. Current version: 3.6.15 (default, Sep 15 2021, 14:20:42) [GCC]. This feature will be removed from ansible-core in version 2.12. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg. SSH password: BECOME password[defaults to SSH password]: PLAY [hostname.corp.domain.com<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhostname.corp.domain.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C94ea9f0f994c485317eb08dafe0b2063%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638101620985980556%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=mHStBYGxtfE0dFVRfuS1UPEkX7650RDD9s4FSa84gS4%3D&reserved=0>] ************************************************************************************************ TASK [Get current user on remote] ******************************************************************************************* fatal: [hostname.corp.domain.com<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhostname.corp.domain.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C94ea9f0f994c485317eb08dafe0b2063%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638101620985980556%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=mHStBYGxtfE0dFVRfuS1UPEkX7650RDD9s4FSa84gS4%3D&reserved=0>]: FAILED! => {"changed": false, "module_stderr": "Shared connection to hostname.corp.domain.com<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhostname.corp.domain.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C94ea9f0f994c485317eb08dafe0b2063%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638101620985980556%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=mHStBYGxtfE0dFVRfuS1UPEkX7650RDD9s4FSa84gS4%3D&reserved=0> closed.\r\n", "module_stdout": "Subject to Corp's Global Employee and Global Contingent Worker Privacy Notices\r\n(see https://employeecontent.corp.com/content/corp/Global_Employee_and_Global_Contingent_Worker_Privacy.html<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Femployeecontent.corp.com%2Fcontent%2Fcorp%2FGlobal_Employee_and_Global_Contingent_Worker_Privacy.html&data=05%7C01%7Cwalter.rowe%40nist.gov%7C94ea9f0f994c485317eb08dafe0b2063%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638101620985980556%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=evd7v%2BEcvLEFZybtsKWz1AHdcNyvDBqLzy%2BIWSlRR%2Bc%3D&reserved=0> )\r\nall system access and delegated/privileged activity on the Corp network\r\nmay be logged for auditing and security purposes, including your username \r\nand commands used. Log records may be retained for up to 1 year.\r\n\r\nWe trust you have received the usual lecture from the local System\r\nAdministrator. It usually boils down to these three things:\r\n\r\n #1) Respect the privacy of others.\r\n #2) Think before you type.\r\n #3) With great power comes great responsibility.\r\n\r\nRemember you may use 'sudo -l' to review a list of authorized commands.\r\n\r\nAuthenticate with testuser's password: \r\nsudo: timed out reading password\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1} PLAY RECAP ****************************************************************************************************************** hostname.corp.domain.com<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhostname.corp.domain.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C94ea9f0f994c485317eb08dafe0b2063%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638101620985980556%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=mHStBYGxtfE0dFVRfuS1UPEkX7650RDD9s4FSa84gS4%3D&reserved=0> : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0 On Fri, Jan 20, 2023 at 7:17 PM 'Rowe, Walter P. (Fed)' via Ansible Project <ansible...@googlegroups.com> wrote: Try leaving off become_exe. If you can run sudo rootsh then your task can use sudo. When you run sudo rootsh at a command prompt does it ask for your password? If so, the ansible task also will have to respond to a password prompt. That is causing your timeout. Walter -- Walter Rowe, Division Chief Infrastructure Services, OISM Mobile: 202.355.4123<tel:(202)%20355-4123> On Jan 20, 2023, at 8:31 AM, saravanan jothilingam <saravan....@gmail.com> wrote: Thanks for your input. In the remote machine, i dont have any permission to edit any files under /etc. In this case, how to achieve the remote node execution using 'sudo rootsh' cmd. On Fri, Jan 20, 2023 at 6:33 PM 'Rowe, Walter P. (Fed)' via Ansible Project <ansible...@googlegroups.com> wrote: In ansible if you have become: true on a task, that task will run with elevated privileges. On Linux the default is to try sudo. You don't need to specify become_exe. Any command given to your shell task will run in a root privileged shell. The user ID you run the playbook as must have login access to the remote system and sudo privilege on the remote system via /etc/sudoers or a file in /etc/sudoers.d. In our environment we have some common files we populate in /etc/sudoers.d based on server function. For example, all servers we manage have a server mgmt id we use for remote mgmt and a special group for our own user IDs when we remote into those machines. We place a file in /etc/sudoers.d that grants our mgmt ID and mgmt group the rights we need. For all database servers our DBA group requires some privileges so we add an /etc/sudoers.d/dba file that controls their privileged access for members of the DBA group members. In your testroot.yaml file you can remove the become_exe line. testroot.yaml --- - hosts: '{{ host }}' gather_facts: yes tasks: - name: Get current user on remote ansible.builtin.shell: | whoami become: true register: out - debug: msg: "{{ out }}" Next you need to make sure your user ID that makes the connection to the remote machine has sudo access that does not require a password. I imagine your sudo command was waiting on a response to a password prompt that was never going to be answered. Walter -- Walter Rowe, Division Chief Infrastructure Services, OISM Mobile: 202.355.4123<tel:(202)%20355-4123> On Jan 20, 2023, at 1:40 AM, saravanan jothilingam <saravan....@gmail.com> wrote: Any update on this? On Thu, Jan 19, 2023 at 8:05 PM saravanan jothilingam <saravan....@gmail.com> wrote: Hi, I am a novice to ansible and am practising to get more hands-on. I am trying one usecase where I need to connect to a remote SLES12 linux server using my id and then switch to root user and execute some tasks. While switching over to root user (cmd: sudo rootsh), it prompts for a root password. When I run this usecase using ansible playbook, it gives the below error. Could you please let me know what would be correct/valid directives (become_*) that I need to use to run the cmd using root user. Appreciate your help. I wrote this playboo testroot.yaml --- - hosts: '{{ host }}' gather_facts: yes tasks: - name: Get current user on remote ansible.builtin.shell: | whoami become: true become_exe: "sudo rootsh" register: out - debug: msg: "{{ out }}" ansible-playbook -i hosts testroot.yaml -e "host=host.iil.corp.com<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhost.iil.corp.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C94ea9f0f994c485317eb08dafe0b2063%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638101620985980556%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=BRFPqQ7u9qJPY9izJD%2B%2Br7l%2FlVU9EKLfdF5xDu9HNvM%3D&reserved=0>" --ask-become-pass -k [DEPRECATION WARNING]: Ansible will require Python 3.8 or newer on the controller starting with Ansible 2.12. Current version: 3.6.15 (default, Sep 15 2021, 14:20:42) [GCC]. This feature will be removed from ansible-core in version 2.12. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg. SSH password: BECOME password[defaults to SSH password]: PLAY [host.iil.corp.com<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhost.iil.corp.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C94ea9f0f994c485317eb08dafe0b2063%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638101620985980556%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=BRFPqQ7u9qJPY9izJD%2B%2Br7l%2FlVU9EKLfdF5xDu9HNvM%3D&reserved=0>] ******************************************************************************************************************************************************************************** TASK [Get current user on remote] *************************************************************************************************************************************************************************** fatal: [host.iil.corp.com<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhost.iil.corp.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C94ea9f0f994c485317eb08dafe0b2063%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638101620985980556%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=BRFPqQ7u9qJPY9izJD%2B%2Br7l%2FlVU9EKLfdF5xDu9HNvM%3D&reserved=0>]: FAILED! => {"msg": "Timeout (12s) waiting for privilege escalation prompt: Subject to Company's Global Employee and Global Contingent Worker Privacy Notices\r\n(see https://employeecontent.corp.com/content/corp/Global_Employee_and_Global_Contingent_Worker_Privacy.html<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Femployeecontent.corp.com%2Fcontent%2Fcorp%2FGlobal_Employee_and_Global_Contingent_Worker_Privacy.html&data=05%7C01%7Cwalter.rowe%40nist.gov%7C94ea9f0f994c485317eb08dafe0b2063%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638101620985980556%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=evd7v%2BEcvLEFZybtsKWz1AHdcNyvDBqLzy%2BIWSlRR%2Bc%3D&reserved=0> )\r\nall system access and delegated/privileged activity on the corp network\r\nmay be logged for auditing and security purposes, including your username \r\nand commands used. Log records may be retained for up to 1 year.\r\n\r\nWe trust you have received the usual lecture from the local System\r\nAdministrator. It usually boils down to these three things:\r\n\r\n #1) Respect the privacy of others.\r\n #2) Think before you type.\r\n #3) With great power comes great responsibility.\r\n\r\nRemember you may use 'sudo -l' to review a list of authorized commands.\r\n\r\n"} PLAY RECAP ************************************************************************************************************************************************************************************************** host.iil.corp.com<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhost.iil.corp.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C94ea9f0f994c485317eb08dafe0b2063%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638101620985980556%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=BRFPqQ7u9qJPY9izJD%2B%2Br7l%2FlVU9EKLfdF5xDu9HNvM%3D&reserved=0> : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0 -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAE7H9qq05ZQ1YcytQQSQmTo_fn0Wo8UAN97WL5iNKtfVSo-uuQ%40mail.gmail.com<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2FCAE7H9qq05ZQ1YcytQQSQmTo_fn0Wo8UAN97WL5iNKtfVSo-uuQ%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C94ea9f0f994c485317eb08dafe0b2063%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638101620985980556%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=1n8SsCtl3FHpcHS9MvkRmCsGjT3w5lqT4cjmrvM%2F6cI%3D&reserved=0>. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/2F9FE7FD-B3CD-4E16-8CCD-44A6298F5825%40nist.gov<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2F2F9FE7FD-B3CD-4E16-8CCD-44A6298F5825%2540nist.gov%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C94ea9f0f994c485317eb08dafe0b2063%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638101620985980556%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Z1fSGPEpDFZaxG29SCURlkG5DvgxM7iz4AQKHqpdAiA%3D&reserved=0>. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAE7H9qry8T6%2Bc3TE%3D8KiyU6E7Ooh1wAKgGzLztq3EGzsKijDKg%40mail.gmail.com<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2FCAE7H9qry8T6%252Bc3TE%253D8KiyU6E7Ooh1wAKgGzLztq3EGzsKijDKg%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C94ea9f0f994c485317eb08dafe0b2063%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638101620985980556%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=MHkpnlaCzJG%2FpTcHTvJpy3jh7mwGrLlpWa8ClKbTYQw%3D&reserved=0>. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/B0AE6100-8F2D-43C7-A857-144EE740C535%40nist.gov<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2FB0AE6100-8F2D-43C7-A857-144EE740C535%2540nist.gov%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C94ea9f0f994c485317eb08dafe0b2063%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638101620985980556%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=NMJmtQhOqz50fa6zFm6rU5dXsryrR%2FmSbbP1dFqShXU%3D&reserved=0>. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAE7H9qrQZGwNC1zEViaDkP5BX%3DcZRaZAoERTfUnyOuC3K6FJ5A%40mail.gmail.com<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2FCAE7H9qrQZGwNC1zEViaDkP5BX%253DcZRaZAoERTfUnyOuC3K6FJ5A%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C94ea9f0f994c485317eb08dafe0b2063%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638101620985980556%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=aQX3pBu%2FACxSO3veIw13hX61AizGYlnyNEHUlDp13KY%3D&reserved=0>. -- Todd -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/5dc01924-a818-f2cd-fee7-8f91c4350b37%40gmail.com<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2F5dc01924-a818-f2cd-fee7-8f91c4350b37%2540gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C94ea9f0f994c485317eb08dafe0b2063%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638101620985980556%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=NSZwUdcZQvEMd7p7ZKExmXxnw5PtZRTGH687i9mK6GU%3D&reserved=0>. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAE7H9qqocg3-fz0t0KL6SUc%3Dgd4vhaxmTO%3DtkKLcUH9rjnrBkg%40mail.gmail.com<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2FCAE7H9qqocg3-fz0t0KL6SUc%253Dgd4vhaxmTO%253DtkKLcUH9rjnrBkg%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C94ea9f0f994c485317eb08dafe0b2063%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638101620985980556%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=BcTJBZ%2FEhrN%2Bv4hXhcI0VIqLNs%2Bfa%2FfAV%2Fz9L9RfafA%3D&reserved=0>. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/E252445D-0709-42AF-9E0F-4CF63959CE47%40nist.gov<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2FE252445D-0709-42AF-9E0F-4CF63959CE47%2540nist.gov%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C94ea9f0f994c485317eb08dafe0b2063%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638101620985980556%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=3a%2F5D2Safek460NsFjBNyv8aR77XJqikYkY19v2RBmc%3D&reserved=0>. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com<mailto:ansible-project+unsubscr...@googlegroups.com>. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/7df25244-5b17-4fb4-a343-255a1c706dbbn%40googlegroups.com<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2F7df25244-5b17-4fb4-a343-255a1c706dbbn%2540googlegroups.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C94ea9f0f994c485317eb08dafe0b2063%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638101620986136791%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=pV6dglb70YAGToZKYPlKX%2FAn0S9OCUTv%2BN0dZFsp2JQ%3D&reserved=0>. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com<mailto:ansible-project+unsubscr...@googlegroups.com>. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/DC30B4E8-3D99-4611-819D-CBCDC5406396%40nist.gov<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2FDC30B4E8-3D99-4611-819D-CBCDC5406396%2540nist.gov%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C94ea9f0f994c485317eb08dafe0b2063%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638101620986136791%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=c%2FS4a4HjH1RDswGrWvUJdrA7u4QqF4K30wFUKEmX8hM%3D&reserved=0>. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/699F84D4-3081-42EE-B36D-26A984B5DC69%40nist.gov.
