问题描述
在我的公司,我们的 root 访问权限有限,在 sudoers.d 上是这样:
user hostname =(root) PASSWD: /bin/su
我正在尝试模拟 ansible:
all:
vars:
ansible_connection: ssh
ansible_become: true
ansible_become_pass: 'password'
become_flags: '/bin/su - root /bin/bash -c'
worker:
hosts:
hostname
hostname | Failed! => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},"changed": false,"module_stderr": "Shared connection to hostname closed.\r\n","module_stdout": "\r\n","msg": "MODULE FAILURE\nSee stdout/stderr for the exact error","rc": 1
}
我已阅读有关权限提升和有限 sudo 的信息: ansible privilege escalation
但是,在主机上,我们可以通过这种方式启动任何 sudo 命令:
sudo su -s /bin/sh -c "ls"
有什么办法可以让ansible使用这种方法还是不可能?
谢谢
解决方法
这是可能的,但不推荐,因为它需要 root 的密码:
all:
vars:
ansible_connection: ssh
ansible_become: true
ansible_become_pass: 'root password'
ansible_become_method: su
become_flags: '-s /bin/bash'
在客户端的文件 /etc/sudoers.d/ansible 中,文件是:
ansible hostname =(root) PASSWD: /bin/su
运行以下命令以显示升级工作:
$ ansible -m shell -a "whoami" Client1
Client1 | CHANGED | rc=0 >>
root
$ ansible -m shell -a "who am i" Client1
Client1 | CHANGED | rc=0 >>
ansible pts/0 2020-12-28 19:06 (192.168.122.36)