Giter VIP home page Giter VIP logo

ansible-role-sudo's Introduction

Sudo

Ansible Galaxy Build Status Latest tag Gitter chat

A role for managing sudo.

This role uses sudoers.d to manage the sudo capabilities of your users. Each user gets its own sudoers.d file. This means the role can be used from multiple roles to add and manage new users without interfering with the other users/roles.

The defaults and aliases however can only be managed from one location and should not be specified if you add this role as a dependency to your own role.

Following roles where designed to neatly work together with this role:

The management-user role combines all these roles in one easy to use role.

Requirements

  • Hosts should be bootstrapped for ansible usage (have python,...)
  • Root privileges, eg become: yes

Role Variables

Variable Description Default value
sudo_package Install sudo if not available yes
sudo_list List of users and their sudo settings (see details!) []
sudo_list_host List of users and their sudo settings (see details!) []
sudo_list_group List of users and their sudo settings (see details!) []
sudo_grouplist List of groups and their sudo settings (see details!) []
sudo_grouplist_host List of groups and their sudo settings (see details!) []
sudo_grouplist_group List of groups and their sudo settings (see details!) []
sudo_default_sudoers Restore default sudoers file if altered? no
sudo_default_sudoers_src_path Path (local) to default sudoers file path to included default file
sudo_defaults List of defaults (see details!) []
sudo_host_aliases List of host aliases (see details!) []
sudo_user_aliases List of user aliases (see details!) []
sudo_runas_aliases List of run as aliases (see details!) []
sudo_cmnd_aliases List of command aliases (see details!) []
sudo_sudoersd_dir Sudoers.d directory '/etc/sudoers.d'
sudo_sudoersd_owner Owner of the directories and files 'root'
sudo_sudoersd_group Group of the directories and files 'root'

sudo_defaults details

The sudo defaults can be provided as a simple list item, or as a dictionary. Using the more complex dictionary notation allows you to use filters on the defaults. Both versions can be combined.

Each item in the dictionary can have following attributes:

Variable Description Required Default
params flags, integer values, strings, or lists yes /
filter user (:), host (@), command (!) or runas (>) filter no /
Example sudo_defaults
# Simple version
sudo_defaults:
  - env_reset
  - mail_badpass

# Advanced version
sudo_defaults:
  - env_reset
  - mail_badpass
  - filter: '!LOG_VIEWERS'
    params: 'noexec'
  - filter: '@localhost'
    params: '!requiretty'

sudo_list details

sudo_list, sudo_list_host and sudo_list_group are merged when managing the sudo settings. You can use the host and group lists to specify users settings per host or group off hosts. The sudo_grouplist variables work the same way, but for group based sudo settings (name will be prepended with %).

Each item in the list should have a name and optionally a sudo rule list and a sudoers_file variable to specify a custom filename. This way you can use the same list that you pass to your user management role.

When you wish to remove a sudo user/group item from the system do so by adding state: absent to the item. Ensuring removal of the matching sudoers_file from the system. Only deleting the item from the _list leaves the file behind in an unmanaged state, causing the old rule to remain in effect.

sudo_list:
  - name: root
    other_setting: 'this is ok'
    sudo:
        - '...'
  - name: user1
    sudoers_file: custom
    sudo:
        - '...'
  - name: user3
    state: absent

The sudo list allows you to define one or more sudo rules. Possible attributes for each list entry;

Variable Description Required Default
hosts Hosts yes /
as Operators no /
commands Commands yes /
nopasswd NOPASSWD flag no no
passwd PASSWD flag no no
noexec NOEXEC flag no no
exec EXEC flag no no
nosetenv NOSETENV flag no no
setenv SETENV flag no no
nologinput NOLOG_INPUT flag no no
loginput LOG_INPUT flag no no
nologoutput NOLOG_OUTPUT flag no no
logoutput LOG_OUTPUT flag no no
Example sudo_list
sudo_list:
  - name: root
    sudo:
      hosts: ALL
      as: ALL:ALL
      commands: ALL
  - name: user1
  - name: user3
    sudo:
      - hosts: ALL
        as: root
        commands: /usr/sbin/poweroff
      - hosts: ALL
        commands: /usr/sbin/reboot
        nopasswd: yes
      - hosts: ALL
        as: ALL
        commands: /usr/sbin/less
        noexec: yes

sudo_grouplist:
  - name: group1
    sudoers_file: 50custom-group-rules
    sudo:
      hosts: ALL
      as: ALL
      commands: ALL
      nopasswd: yes

sudo_***_aliases details

The aliases lists allow you to specify multiple aliases. Each item in the list has a name and an alias.

Variable Description Required Default
name Name of the alias yes /
alias Alias yes /
Example sudo_***_aliases
sudo_cmnd_aliases:
  - name: POWER
    alias: 'shutdown, reboot'
  - name: APT
    alias: 'apt-get'

sudo_user_aliases:
  - name: EXPAMPLE2
    alias: 'user1, user2, user3'

Dependencies

Example Playbook

---
- hosts: servers
  roles:
  - role: GROG.sudo
    become: yes

Inside group_vars/servers.yml:

sudo_list_group:
  - name: user
    sudo:
      hosts: ALL
      as: ALL
      commands: ALL

Contributing

All assistance, changes or ideas welcome!

Author

By G. Roggemans

License

MIT

ansible-role-sudo's People

Contributors

greigm avatar groggemans avatar kernt avatar memoryleak avatar orphist avatar stejoo avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

jb11211 lestr michael-c-hoffman mkinney blackcobra1973 knorrkator chilinot memoryleak uol-it-linux slaclab stejoo kernt greigm

ansible-role-sudo's Issues

More defaults

I added if few lines to your defaults handling if you care. Needed this for default options

default/main.yml

#Defaults for Commands
sudo_default_command_options: []

templates/etc-sudoers.d-defaults_template.j2

{% for entry in sudo_default_command_options %}
{{ entry.default_command_opt }} {{ entry.command_opt_val  }}
{% endfor %}

Example in group_vars/all.yml

sudo_default_command_options:
  - default_command_opt: Defaults!LOG_VIEWERS
    command_opt_val: "noexec"
  - default_command_opt: Defaults!CRM_COMMANDS
    command_opt_val: `"!requiretty"

more BSD compatible

Hi,
I added if few lines to your defaults for better BSD compatible

default/main.yml

#Sudoers file
sudo_sudoers: /etc/sudoers

#root group
root_group: root

tasks/main.yml

- name: Include OS-specific vars
  include_vars: "{{ ansible_os_family }}.yml"
...
    group: "{{ root_group }}"
...

vars/FreeBSD.yml

sudo_sudoersd_dir: /usr/local/etc/sudoers.d
sudo_sudoers: /usr/local/etc/sudoers
root_group: wheel

sudoers.d files included twice on Debian 12 (and others?)

Running this role against current Debian (bookworm) results in /etc/sudoers.d being included twice.

To a user running sudo -l this looks like:

User [email protected] may run the following commands on myhost:
    (ALL) ALL
    (ALL) ALL

The cause of this is this bit at the end of the /etc/sudoers file:

# See sudoers(5) for more information on "@include" directives:

@includedir /etc/sudoers.d
#includedir /etc/sudoers.d

Both these statements are valid "include" statements. As such sudo seems to apply statements in files within /etc/sudoers.d/ twice. While this does not break sudo behaviour to my current knowledge, it does look funny!

The @-style was added, fairly recently, to sudo in version 1.9.1 (2020-06-19). While many distros already ship a recent enough version there are still supported distros, such as RHEL8, that ship with an older version of sudo. For compatibility with sudo versions prior to 1.9.1, #include and #includedir are still supported today. To resolve this issue I suggest improving the regexp statement of the Enable sudoers.d task, on line 28 of tasks/main.yml:

ansible-role-sudo/tasks/main.yml

Line 28 in 125707b

regexp: '^#includedir .*'

to also match @include lines.

Dependency on GROG.package could use an update

The dependency on GROG.package refers to an older version. Not a direct issue but the specific version requested is v1.2.4: as stated in https://github.com/GROG/ansible-role-sudo/blob/master/meta/requirements.yml#L2

While functional this causes Ansible to produce deprecation warnings for the used include: statements in there. A fix is available from v1.3.0 forward. Current version is: https://github.com/GROG/ansible-role-package/releases/tag/v1.3.1

May the dependency be updated to v1.3.1 to alleviate the deprecations warnings?

Changing the users to only one file

Thanks for creating this it works as intended

How would I go and modify this to change it where it does not create a separate file for all the users and just puts it into a file that I can define. I tried changing the item.name and it will only add one of my users and not loop through them. Not sure what I am doing wrong. Can you assist?

Permission of `/etc/sudoers` file

In commit 125707b the mode of /etc/sudoers.d was defined as:

ansible-role-sudo/tasks/main.yml

Line 29 in 125707b

mode: "0750"

I am curious why this mode was chosen in particular. In both Debian and Red Hat the default mode of the /etc/sudoers.d directory is set to '0440'. I can imagine this is different for other distributions and this mode works. It's an extra "change" I noticed in my Ansible runs and that made me curious.

Failing to add sudo privileges to user

I'm trying your basic example on SLES 11. The goal is to add sudo privileges to the existing "pdo" user

- hosts: clients
  roles:
  - { role: GROG.sudo, become: yes }

hosts file

[clients]
as0061
as0063
[db]
as0064

clients.yml

sudo_list_group:
  - name: pdo
    sudo:
      hosts: ALL
      as: ALL
      commands: ALL
      nopasswd: yes

When I run it with
ansible-playbook ./sudo-client.yml -K
I get this error

TASK [GROG.sudo : Make sure sudoers.d dir is available] ************************
fatal: [as0061]: FAILED! => {"changed": false, "failed": true, "module_stderr": "", 
"module_stdout": "\r\nSorry, try again.\r\n[sudo via ansible, 
key=pwstxgartlkdfysrplianfqijriswxqq] password: \r\nsudo: 1 incorrect password attempt\r\n", 
"msg": "MODULE FAILURE", "parsed": false}

The directory is there, BTW. Can you please let me know what am I doing wrong?

Thanks,
Bo Stone

More complex sudoers file

Hi GROG - thanks for sharing your work! It doesn't appear that a more complex sudoers file is possible, but asking for confirmation. An example of what I would like to be able to do:

testuser ALL=(root) NOPASSWD: /bin/ls,/bin/grep,/etc/init.d/nginx
testuser ALL=(nginx) NOPASSWD: ALL

Thanks!

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.