Re: [ansible-project] create a systemd service without write access to /etc/systemd/system

2022-09-01 Thread dulhaver via Ansible Project 
 
I am wondering whether granted limited write access to the postgres user (who 
is the one executing that TASK) to only write files like postgresql.*.service 
inside /etc/systemd/system could be a solution. I guess using the template 
module would be the way to do this.
 
postgres@server> sudo -l looks like this exerpt
 
 
(root) NOPASSWD: /usr/bin/cat /var/log/messages, /usr/bin/zcat 
/var/log/messages-*, /usr/bin/systemctl restart
postgresql.service, /usr/bin/systemctl reload postgresql.service, 
/usr/bin/systemctl status postgresql.service,
/usr/bin/systemctl restart postgresql@*.service, !/usr/bin/systemctl restart 
postgresql@*..*,
!/usr/bin/systemctl restart postgresql@*[[\:blank\:]]*, /usr/bin/systemctl 
reload postgresql@*.service,
!/usr/bin/systemctl reload postgresql@*..*, !/usr/bin/systemctl reload 
postgresql@*[[\:blank\:]]*,
/usr/bin/systemctl status postgresql@*.service, !/usr/bin/systemctl status 
postgresql@*..*, !/usr/bin/systemctl
status postgresql@*[[\:blank\:]]*
 
so based on this I wonder whether this could be achived whether I could 
identify the local command executed by the template module in order to create 
the file on the remote. Or is that thinking down the wrong road?
 
 
 

> On 09/01/2022 2:07 PM CEST 'Rowe, Walter P. (Fed)' via Ansible Project 
>  wrote:
>  
>  
> Nope. Ansible uses sudo to elevate privileges on Linux. If you don't have a 
> service account that can sudo, you can't do this with ansible. Your service 
> account is the "remote_user" that ansible uses to SSH into the machine. The 
> sudoers file must grant this account sudo rights. 
>  
> It does not have to be passwordless sudo. You can provide a variable 
> ansible_become_password that contains the sudo password. There are many ways 
> to do that. The most secure way would be an ansible vault. This is 
> essentially an encrypted vars file. You provide the vault secret when you run 
> the playbook. On your command line you would do something like this.
> 
> $ ansible-playbook my_playbook.yml -e @my_vault.yml --ask-vault-pass
>  
> The @my_vault.yml tells ansible-playbook to source the my_vault.yml for its 
> extra_vars. The --ask-vault-pass prompts you for the vault secret. Your 
> my_vault.yml file would look like this:
>  
> ---
> ansible_become_password: "my sudo password"
>  
> If you use Ansible Tower you can provide the vault secret in an Ansible Vault 
> Credential type. We use this method also for storing privileged Kerberos 
> credentials that enables our playbooks to join machines to Active Directory.
> 
> Walter
> --
> Walter Rowe, Division Chief
> Infrastructure Services, OISM
> Mobile: 202.355.4123
> 
> 
> > On Sep 1, 2022, at 1:15 AM, dulhaver via Ansible Project 
> > mailto:ansible-project@googlegroups.com> 
> > wrote:
> > 
> > I need to create a postgresql@[db_service_name].service for systemd on 
> > remote hosts. Based on extremely limited access rights on such hosts (due 
> > to strict company security policies) the challenge I am facing is that the 
> > only way to do this manually is via
> > 
> >   sudo systemctl edit --full postgresql@[db_service_name].service
> > 
> > This allows to edit a unitfile interactively which then is used to start 
> > the service. 
> > I do not have any direct write access to /etc/systemd/system or anything 
> > else outside /opt on such remotes.
> > 
> > so, is there any way to get specific values into that unit file via ansible 
> > under such circumstances?
> > 
> > -- 
> > You received this message because you are subscribed to the Google Groups 
> > "Ansible Project" group.
> > To unsubscribe from this group and stop receiving emails from it, send an 
> > email to ansible-project+unsubscr...@googlegroups.com 
> > mailto:ansible-project+unsubscr...@googlegroups.com.
> > To view this discussion on the web visit 
> > https://gcc02.safelinks.protection.outlook.com/? 
> > https://gcc02.safelinks.protection.outlook.com/url=https%3A%2F%http://2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2F1823518936.133081.1662009342899%http://2540office.mailbox.orgdata=05%7C01%7Cwalter.rowe%http://40nist.gov%7C2c0b8a00151445d73e4508da8bd908fd%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637976061533248124%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=XpM%2B9O9POGhoWj9dE9%2Bk%2Bc9Ub0TercGjG2e1oIXZBKo%3Dreserved=0.
> > 
> 
>  
> 
> --
> You received this message because you are subscribed to the Google Groups 
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ansible-project+unsubscr...@googlegroups.com 
> mailto:ansible-project+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ansible-project/F19F89B1-6C1B-4F50-B2AF-8681D60E408E%40nist.gov
>  
> https://groups.google.com/d/msgid/ansible-project/F19F89B1-6C1B-4F50-B2AF-8681D60E408E%40nist.gov?utm_medium=email_source=footer.
> 

-- 
You

Re: [ansible-project] create a systemd service without write access to /etc/systemd/system

2022-09-01 Thread dulhaver via Ansible Project 
 
system access is granted pretty specific (and pretty limited). The fear is not 
so much a hacker but our own staff should only be able to execute very specific 
commands (and creating anything in /etc not bein one of those for a member of 
the database team) he or she is supposed to execute.
 
 
@kevin.shumaker: thks, I was hoping to find away around playing such kind of 
pingpong, but it looks like there is none, so I'll have to play along.
 
 

> On 09/01/2022 6:22 PM CEST Kevin Shumaker  wrote:
>  
>  
> When confronted by a lack of privileges to be able to accomplish certain 
> tasks given to me, I've usually resorted to creating a ticket with my 
> 'resolution', and  escalating to the SysAdmins and let them 'deal' with the 
> issue. (Usually limited access on specific servers). If they get enough 
> tickets, the Manager or Director usually takes notice, and either grants 
> specific access or transfers the responsibility to the SysAdmins. (What 
> usually happens shortly  thereafter is it gets placed back in my lap, with 
> needed privileges as they SysAdmins are already too busy, which is why it was 
> placed in my lap to begin with...) Either resolution is a win.
> On Thursday, September 1, 2022 at 12:07:23 PM UTC-4 stan@nscorp.com wrote:
> 
> > 
> > The sudo privileges granted to "remote_user" needs be to be limitless.   
> > Execute ALL commands as ALL users.  One cannot restrict to executing a 
> > single binary like 'useradd' because it's running a module with a random 
> > name.
> > 
> >  
> > 
> > It's either all or nothing.
> > 
> >  
> > 
> > Regards,
> > 
> > Stan
> > 
> >  
> > 
> >  
> > 
> > From: 'Rowe, Walter P. (Fed)' via Ansible Project 
> > 
> > Sent: Thursday, September 1, 2022 8:08 AM
> > To: ansible...@googlegroups.com
> > Subject: [EXTERNAL] Re: [ansible-project] create a systemd service without 
> > write access to /etc/systemd/system
> > 
> >  
> > 
> > Nope. Ansible uses sudo to elevate privileges on Linux. If you don't have a 
> > service account that can sudo, you can't do this with ansible. Your service 
> > account is the "remote_user" that ansible uses to SSH into the machine. The 
> > sudoers file must grant this account sudo rights. 
> > 
> >  
> > 
> > It does not have to be passwordless sudo. You can provide a variable 
> > ansible_become_password that contains the sudo password. There are many 
> > ways to do that. The most secure way would be an ansible vault. This is 
> > essentially an encrypted vars file. You provide the vault secret when you 
> > run the playbook. On your command line you would do something like this.
> > 
> > 
> > $ ansible-playbook my_playbook.yml -e @my_vault.yml --ask-vault-pass
> > 
> >  
> > 
> > The @my_vault.yml tells ansible-playbook to source the my_vault.yml for its 
> > extra_vars. The --ask-vault-pass prompts you for the vault secret. Your 
> > my_vault.yml file would look like this:
> > 
> >  
> > 
> > ---
> > 
> > ansible_become_password: "my sudo password"
> > 
> >  
> > 
> > If you use Ansible Tower you can provide the vault secret in an Ansible 
> > Vault Credential type. We use this method also for storing privileged 
> > Kerberos credentials that enables our playbooks to join machines to Active 
> > Directory.
> > 
> > 
> > Walter
> > --
> > Walter Rowe, Division Chief
> > Infrastructure Services, OISM
> > Mobile: 202.355.4123 tel:(202)%20355-4123
> > 
> > 
> > 
> > > 
> > > On Sep 1, 2022, at 1:15 AM, dulhaver via Ansible Project 
> > >  wrote:
> > > 
> > > I need to create a postgresql@[db_service_name].service for systemd on 
> > > remote hosts. Based on extremely limited access rights on such hosts (due 
> > > to strict company security policies) the challenge I am facing is that 
> > > the only way to do this manually is via
> > > 
> > >   sudo systemctl edit --full postgresql@[db_service_name].service
> > > 
> > > This allows to edit a unitfile interactively which then is used to start 
> > > the service. 
> > > I do not have any direct write access to /etc/systemd/system or anything 
> > > else outside /opt on such remotes.
> > > 
> > > so, is there any way to get specific values into that unit file via 
> > > ansible under such circumstances?
> > > 
> > > -- 
> > > You received this message because you are subscribed to the Google Groups 
> > > "Ansible Project" group.
> > > To unsubscribe from this group and stop receiving emails from it, send an 
> > > email to ansible-proje...@googlegroups.com.
> > > To view this discussion on the web visit 
> > > https://gcc02.safelinks.protection.outlook.com/? 
> > > https://urldefense.com/v3/__https:/gcc02.safelinks.protection.outlook.com/?__;!!Fto3Xw!rhcsByyoVdPbpj1kGtcRuRzU-VBULRLGFcu9cUfcBPfsRe7nnznLNZe3QW6IKl4uxazxQlreNR2qVCVholranIg-QsLtqAY$url=https%3A%2F%2Fgroups.google.com
> > >  
> > >

Re: [ansible-project] Basic Authencation using uri Module (Post)

2022-09-01 Thread Mohammed Reehan 
Apologize for the error that , it was a typo tbh. Well the issue is still
present.

Thanks
Reehan

On Thu, Sep 1, 2022, 11:56 PM Dick Visser  wrote:

>
>
> On Thu, 1 Sep 2022 at 19:45, Mohammed Reehan 
> wrote:
>
>> Hello Experts,
>>
>> Need your kind help, i am running a basic POST call using ansible uri
>> module with Basic Authencation
>> below is the programtic code but i am getting 403 error.
>>
>> ---
>> -name: Request API Token
>>  ansible.builtin.uri:
>>url: "https://vrlcm.local/lcm/authzn/api/login;
>>
>
> For starters the url is incorrect, it's got a
> Semicolon mixed by a double quote
>
>
> method: POST
>>use_proxy: no
>>validate_certs: false
>>status_code: [200]
>>force_basic_auth: yes
>>url_username: "test"
>>url_password: "test"
>>  register: response
>>  run_once: true
>>  delegate_facts: true
>>  no_log: false
>>
>> i am getting below error, any pointers will be helpful to fix this issue.
>> i am sure i am doing something silly.
>>
>> "msg": "status code was -1 and not [200]: Request failed: > tunnel connection failed: 403 forribidden>",
>> "redirected": "false",
>> "status": "-1"
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Ansible Project" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ansible-project+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/ansible-project/a4f107cf-28d8-46d8-9d56-b5760799408cn%40googlegroups.com
>> 
>> .
>>
> --
> Sent from Gmail Mobile
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-project+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/CAF8BbLYYHhLtaP9iVfk29gsNN_SK3orJEP7%3DFrh2aARZtBJ0vg%40mail.gmail.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CAJOW%3Dx__o0H2%3D5czJS10atcQwEa7Y14QRdZ8zSRJ_Fq5Z6oG6g%40mail.gmail.com.

Re: [ansible-project] Basic Authencation using uri Module (Post)

2022-09-01 Thread Dick Visser 
On Thu, 1 Sep 2022 at 19:45, Mohammed Reehan  wrote:

> Hello Experts,
>
> Need your kind help, i am running a basic POST call using ansible uri
> module with Basic Authencation
> below is the programtic code but i am getting 403 error.
>
> ---
> -name: Request API Token
>  ansible.builtin.uri:
>url: "https"//vrlcm.local/lcm/authzn/api/login"
>

For starters the url is incorrect, it's got a
Semicolon mixed by a double quote


method: POST
>use_proxy: no
>validate_certs: false
>status_code: [200]
>force_basic_auth: yes
>url_username: "test"
>url_password: "test"
>  register: response
>  run_once: true
>  delegate_facts: true
>  no_log: false
>
> i am getting below error, any pointers will be helpful to fix this issue.
> i am sure i am doing something silly.
>
> "msg": "status code was -1 and not [200]: Request failed:  tunnel connection failed: 403 forribidden>",
> "redirected": "false",
> "status": "-1"
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-project+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/a4f107cf-28d8-46d8-9d56-b5760799408cn%40googlegroups.com
> 
> .
>
-- 
Sent from Gmail Mobile

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CAF8BbLYYHhLtaP9iVfk29gsNN_SK3orJEP7%3DFrh2aARZtBJ0vg%40mail.gmail.com.

[ansible-project] Basic Authencation using uri Module (Post)

2022-09-01 Thread Mohammed Reehan 
Hello Experts, 

Need your kind help, i am running a basic POST call using ansible uri 
module with Basic Authencation 
below is the programtic code but i am getting 403 error.

---
-name: Request API Token
 ansible.builtin.uri:
   url: "https"//vrlcm.local/lcm/authzn/api/login"
   method: POST
   use_proxy: no
   validate_certs: false
   status_code: [200]
   force_basic_auth: yes
   url_username: "test"
   url_password: "test"
 register: response
 run_once: true
 delegate_facts: true
 no_log: false

i am getting below error, any pointers will be helpful to fix this issue. i 
am sure i am doing something silly.

"msg": "status code was -1 and not [200]: Request failed: ",
"redirected": "false",
"status": "-1"

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/a4f107cf-28d8-46d8-9d56-b5760799408cn%40googlegroups.com.

Re: [ansible-project] create a systemd service without write access to /etc/systemd/system

2022-09-01 Thread Kevin Shumaker 
When confronted by a lack of privileges to be able to accomplish certain 
tasks given to me, I've usually resorted to creating a ticket with my 
'resolution', and  escalating to the SysAdmins and let them 'deal' with the 
issue. (Usually limited access on specific servers). If they get enough 
tickets, the Manager or Director usually takes notice, and either grants 
specific access or transfers the responsibility to the SysAdmins. (What 
usually happens shortly  thereafter is it gets placed back in my lap, with 
needed privileges as they SysAdmins are already too busy, which is why it 
was placed in my lap to begin with...) Either resolution is a win. 
On Thursday, September 1, 2022 at 12:07:23 PM UTC-4 stan@nscorp.com 
wrote:

> The sudo privileges granted to "remote_user" needs be to be limitless.   
> Execute ALL commands as ALL users.  One cannot restrict to executing a 
> single binary like 'useradd' because it's running a module with a random 
> name.
>
>  
>
> It's either all or nothing.
>
>  
>
> Regards,
>
> Stan
>
>  
>
>  
>
> *From:* 'Rowe, Walter P. (Fed)' via Ansible Project <
> ansible...@googlegroups.com> 
> *Sent:* Thursday, September 1, 2022 8:08 AM
> *To:* ansible...@googlegroups.com
> *Subject:* [EXTERNAL] Re: [ansible-project] create a systemd service 
> without write access to /etc/systemd/system
>
>  
>
> Nope. Ansible uses sudo to elevate privileges on Linux. If you don't have 
> a service account that can sudo, you can't do this with ansible. Your 
> service account is the "remote_user" that ansible uses to SSH into the 
> machine. The sudoers file must grant this account sudo rights.  
>
>  
>
> It does not have to be passwordless sudo. You can provide a 
> variable ansible_become_password that contains the sudo password. There are 
> many ways to do that. The most secure way would be an ansible vault. This 
> is essentially an encrypted vars file. You provide the vault secret when 
> you run the playbook. On your command line you would do something like 
> this. 
>
>
> $ ansible-playbook my_playbook.yml -e @my_vault.yml --ask-vault-pass
>
>  
>
> The @my_vault.yml tells ansible-playbook to source the my_vault.yml for 
> its extra_vars. The --ask-vault-pass prompts you for the vault secret. 
> Your my_vault.yml file would look like this:
>
>  
>
> ---
>
> ansible_become_password: "my sudo password"
>
>  
>
> If you use Ansible Tower you can provide the vault secret in an Ansible 
> Vault Credential type. We use this method also for storing privileged 
> Kerberos credentials that enables our playbooks to join machines to Active 
> Directory.
>
>
> Walter
> --
> Walter Rowe, Division Chief
> Infrastructure Services, OISM
> Mobile: 202.355.4123 <(202)%20355-4123>
>
>
>
> On Sep 1, 2022, at 1:15 AM, dulhaver via Ansible Project <
> ansible...@googlegroups.com> wrote:
>
> I need to create a postgresql@[db_service_name].service for systemd on 
> remote hosts. Based on extremely limited access rights on such hosts (due 
> to strict company security policies) the challenge I am facing is that the 
> only way to do this manually is via
>
>   sudo systemctl edit --full postgresql@[db_service_name].service
>
> This allows to edit a unitfile interactively which then is used to start 
> the service. 
> I do not have any direct write access to /etc/systemd/system or anything 
> else outside /opt on such remotes.
>
> so, is there any way to get specific values into that unit file via 
> ansible under such circumstances?
>
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ansible-proje...@googlegroups.com.
> To view this discussion on the web visit 
> https://gcc02.safelinks.protection.outlook.com/? 
> 
> url=https%3A%2F%2Fgroups.google.com 
> 
> %2Fd%2Fmsgid%2Fansible-project%2F1823518936.133081.1662009342899%
> 2540office.mailbox.org 
> 
> data=05%7C01%7Cwalter.rowe%40nist.gov 
> 
> %7C2c0b8a00151445d73e4508da8bd908fd%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637976061533248124%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=XpM%2B9O9POGhoWj9dE9%2Bk%2Bc9Ub0TercGjG2e1oIXZBKo%3Dreserved=0.
>
>  
>
> -- 
> You received this

RE: [ansible-project] create a systemd service without write access to /etc/systemd/system

2022-09-01 Thread 'Hearn, Stan J.' via Ansible Project 
The sudo privileges granted to "remote_user" needs be to be limitless.   
Execute ALL commands as ALL users.  One cannot restrict to executing a single 
binary like 'useradd' because it's running a module with a random name.

It's either all or nothing.

Regards,
Stan


From: 'Rowe, Walter P. (Fed)' via Ansible Project 

Sent: Thursday, September 1, 2022 8:08 AM
To: ansible-project@googlegroups.com
Subject: [EXTERNAL] Re: [ansible-project] create a systemd service without 
write access to /etc/systemd/system

Nope. Ansible uses sudo to elevate privileges on Linux. If you don't have a 
service account that can sudo, you can't do this with ansible. Your service 
account is the "remote_user" that ansible uses to SSH into the machine. The 
sudoers file must grant this account sudo rights.

It does not have to be passwordless sudo. You can provide a variable 
ansible_become_password that contains the sudo password. There are many ways to 
do that. The most secure way would be an ansible vault. This is essentially an 
encrypted vars file. You provide the vault secret when you run the playbook. On 
your command line you would do something like this.

$ ansible-playbook my_playbook.yml -e @my_vault.yml --ask-vault-pass

The @my_vault.yml tells ansible-playbook to source the my_vault.yml for its 
extra_vars. The --ask-vault-pass prompts you for the vault secret. Your 
my_vault.yml file would look like this:

---
ansible_become_password: "my sudo password"

If you use Ansible Tower you can provide the vault secret in an Ansible Vault 
Credential type. We use this method also for storing privileged Kerberos 
credentials that enables our playbooks to join machines to Active Directory.

Walter
--
Walter Rowe, Division Chief
Infrastructure Services, OISM
Mobile: 202.355.4123


On Sep 1, 2022, at 1:15 AM, dulhaver via Ansible Project 
mailto:ansible-project@googlegroups.com>> 
wrote:

I need to create a postgresql@[db_service_name].service for systemd on remote 
hosts. Based on extremely limited access rights on such hosts (due to strict 
company security policies) the challenge I am facing is that the only way to do 
this manually is via

  sudo systemctl edit --full postgresql@[db_service_name].service

This allows to edit a unitfile interactively which then is used to start the 
service.
I do not have any direct write access to /etc/systemd/system or anything else 
outside /opt on such remotes.

so, is there any way to get specific values into that unit file via ansible 
under such circumstances?

--
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to 
ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2F1823518936.133081.1662009342899%2540office.mailbox.orgdata=05%7C01%7Cwalter.rowe%40nist.gov%7C2c0b8a00151445d73e4508da8bd908fd%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637976061533248124%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=XpM%2B9O9POGhoWj9dE9%2Bk%2Bc9Ub0TercGjG2e1oIXZBKo%3Dreserved=0.

--
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to 
ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/F19F89B1-6C1B-4F50-B2AF-8681D60E408E%40nist.gov.

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit

Re: [ansible-project] create a systemd service without write access to /etc/systemd/system

2022-09-01 Thread 'Rowe, Walter P. (Fed)' via Ansible Project 
Nope. Ansible uses sudo to elevate privileges on Linux. If you don't have a 
service account that can sudo, you can't do this with ansible. Your service 
account is the "remote_user" that ansible uses to SSH into the machine. The 
sudoers file must grant this account sudo rights.

It does not have to be passwordless sudo. You can provide a variable 
ansible_become_password that contains the sudo password. There are many ways to 
do that. The most secure way would be an ansible vault. This is essentially an 
encrypted vars file. You provide the vault secret when you run the playbook. On 
your command line you would do something like this.

$ ansible-playbook my_playbook.yml -e @my_vault.yml --ask-vault-pass

The @my_vault.yml tells ansible-playbook to source the my_vault.yml for its 
extra_vars. The --ask-vault-pass prompts you for the vault secret. Your 
my_vault.yml file would look like this:

---
ansible_become_password: "my sudo password"

If you use Ansible Tower you can provide the vault secret in an Ansible Vault 
Credential type. We use this method also for storing privileged Kerberos 
credentials that enables our playbooks to join machines to Active Directory.

Walter
--
Walter Rowe, Division Chief
Infrastructure Services, OISM
Mobile: 202.355.4123

On Sep 1, 2022, at 1:15 AM, dulhaver via Ansible Project 
mailto:ansible-project@googlegroups.com>> 
wrote:

I need to create a postgresql@[db_service_name].service for systemd on remote 
hosts. Based on extremely limited access rights on such hosts (due to strict 
company security policies) the challenge I am facing is that the only way to do 
this manually is via

  sudo systemctl edit --full postgresql@[db_service_name].service

This allows to edit a unitfile interactively which then is used to start the 
service.
I do not have any direct write access to /etc/systemd/system or anything else 
outside /opt on such remotes.

so, is there any way to get specific values into that unit file via ansible 
under such circumstances?

--
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to 
ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2F1823518936.133081.1662009342899%2540office.mailbox.orgdata=05%7C01%7Cwalter.rowe%40nist.gov%7C2c0b8a00151445d73e4508da8bd908fd%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637976061533248124%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=XpM%2B9O9POGhoWj9dE9%2Bk%2Bc9Ub0TercGjG2e1oIXZBKo%3Dreserved=0.

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/F19F89B1-6C1B-4F50-B2AF-8681D60E408E%40nist.gov.

Re: [ansible-project] create a systemd service without write access to /etc/systemd/system

2022-09-01 Thread Andy Smith 
Hi,

On Thu, Sep 01, 2022 at 07:15:42AM +0200, dulhaver via Ansible Project wrote:
> the challenge I am facing is that the only way to do this manually
> is via
> 
>sudo systemctl edit --full postgresql@[db_service_name].service

If you can use sudo then can you not just do the equivalent of

sudo cp /some/temp/file /etc/systemd/system/whatever.service

?

How locked down exactly is your sudo access? I'd have thought that
if you can issue "sudo systemctl edit" then you can easily cook up
something that can give you arbitrary access, so this restriction
seems like more of an "honour system", i.e. a determined attacker
who realises they can do "sudo systemctl edit" will not be stopped.
So on that basis maybe they will allow "sudo cat …" also.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/20220901115147.izxcl27hj7tal4l2%40bitfolk.com.