发表新帖
发表新帖

Restrict Ansible script module using sudoers on the remote node

前端 未结
关注
3 1844
遇见更好的自我
遇见更好的自我 2020-12-21 21:43

I have a playbook that performs some prechecks on the database as the Oracle user. The remote node is an AIX server and so I created a shell script that is ran via the playb

相关标签:
3条回答
  • 南方客
    2020-12-21 21:59

    Q: "This also runs if the sudoers entry is just ansible ALL=(oracle) NOPASSWD: ALL"

    A: Quoting from Privilege escalation must be general:

    "You cannot limit privilege escalation permissions to certain commands..."

    0 讨论(0)
  • 南旧
    2020-12-21 22:05

    If you look at the verbose mode output, you will see that the actual command differs from the one you specified in the sudoers file:

    <127.0.0.1> SSH: EXEC ssh -o ForwardAgent=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o IdentitiesOnly=yes -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=2202 -o 'IdentityFile="/Users/techraf/devops/testground/debian/.vagrant/machines/debian/virtualbox/private_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=120 -o ControlPath=/Users/techraf/.ansible/cp/ansible-ssh-%h-%p-%r -tt 127.0.0.1 '/bin/sh -c '"'"'sudo -H -S -n -u oracle /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-xoamupogqwtteubvedoscaghzmfascsr;  /tmp/ansible-tmp-1488508771.72-271591203197790/db_prechecks.sh '"'"'"'"'"'"'"'"' && sleep 0'"'"''

    So what is executed after sudo -u oracle starts actually with /bin/sh -c.

    I managed to filter a working string to:

    ansible ALL=(oracle) NOPASSWD: /bin/sh -c echo BECOME-SUCCESS*; * /tmp/ansible-tmp-*/db_prechecks.sh*

    But it is based on trial-and-error. I'm not sure yet why * is required between ; and /tmp/... and at the end, but otherwise it does not work.

    In both places Ansible added superfluous space characters and it seems to be the reason, as adding a space to a shell command (specified in the sudoers file) does affect the ability to sudo.

    You might try with ? instead of *, I will test later

    0 讨论(0)
  • 陌清茗
    2020-12-21 22:05

    Replying to @techraf's answer: sudo seems to truncate the extra space and you can see it with sudo -l. I was able to get around this by escaping the spaces with \ as instructed in sudo's man page:

    \x For any character ‘x’, evaluates to ‘x’.

    0 讨论(0)
 看不清?
提交回复
热议问题