cancel
Showing results for 
Search instead for 
Did you mean: 
jrios
Mission Specialist
Mission Specialist
  • 9,153 Views

Ansible sudo root privilege elevation

Jump to solution

Hello Guys!

First I want to say that the company that I work for cares about security on their systems.

Said this, some users have root privileges elevations that uses "sudo su -" and it asks to enter the user password in order to get root privileges.

Modifying sudoers roles to set NOPASSWD to a user is not permited in the company.

Using ssh-key is also not permited.

 

I can connect to the remote server successfully using my ansible playbook but I'm not allowed to put the user password for root privilege elevation.

Does somebody knows how to solve this?

Is there any suggestion that you all can give me?

 

Right now, I'm googling about it and in some websites says that I can use variables...

 

Hope some of you can help me, thanks in advance.

 

 

 

Labels (5)
0 Kudos
1 Solution

Accepted Solutions
jrios
Mission Specialist
Mission Specialist
  • 9,093 Views

====================== SOLVED ======================

Hello @bonnevil,

Yes, I was not prompted to put the sudo password even setting --ask-become-pass (command line).

I have already solved it but by my own in order to execute jobs from my Jenkins. Said this, I'm leaving here (for everyone in Red Hat Learning Community) what I have done to achieve sudo root privilege escalation in order to execute commands as root.

Here is what I did from my Jenkins:

$ export BECOMEPASS=MyPassword
$ sshpass -p $BECOMEPASS ansible-playbook my-playbook.yaml -i inventory -u MyUserName -k --become --extra-vars "ansible_become_pass=$BECOMEPASS"


The second command (until -k) is basically what Jenkins "Ansible plugin" gives you as output after executing the job or task, I took that command and I executed it on my linux terminal. So, executing the command lines above I can do anything as root and of course, you can encrypt the password with different plugins within Jenkins even you can set password vault.

I have only added --become --extra-vars "ansible_become_pass=$BECOMEPASS"


Important:
Note that you do not need to specify some parameter like become, become_method, become_user, etc. within the ansible playbook.

--------------- begin playbook example ---------------
---
- name: Remote script execution
hosts: ServerName or IP address
gather_facts: False
vars:
ansible_python_interpreter: /usr/bin/python
tasks:

--------------- end playbook example ---------------


Thank you @bonnevil for you time, thanks to everyone.

View solution in original post

0 Kudos
2 Replies
bonnevil
Starfighter Starfighter
Starfighter
  • 9,137 Views

@jrios  by "I can connect to the remote server successfully using my ansible playbook but I'm not allowed to put the user password for root privilege elevation." do you mean that you're not prompted for the sudo password, or that your company's policy does not allow you to provide the sudo password to Ansible?

If you're not being prompted for the sudo password, you can add the option --ask-become-pass to the ansible-playbook command to have Ansible prompt you for that password.  Alternatively, you can set become_ask_pass=true in your Ansible configuration file or  export ANSIBLE_BECOME_ASK_PASS=true in your shell environment to have Ansible commands prompt you for the sudo password by default.  The environment variable will override any contrary settings you have in Ansible configuration files, I believe.

0 Kudos
jrios
Mission Specialist
Mission Specialist
  • 9,094 Views

====================== SOLVED ======================

Hello @bonnevil,

Yes, I was not prompted to put the sudo password even setting --ask-become-pass (command line).

I have already solved it but by my own in order to execute jobs from my Jenkins. Said this, I'm leaving here (for everyone in Red Hat Learning Community) what I have done to achieve sudo root privilege escalation in order to execute commands as root.

Here is what I did from my Jenkins:

$ export BECOMEPASS=MyPassword
$ sshpass -p $BECOMEPASS ansible-playbook my-playbook.yaml -i inventory -u MyUserName -k --become --extra-vars "ansible_become_pass=$BECOMEPASS"


The second command (until -k) is basically what Jenkins "Ansible plugin" gives you as output after executing the job or task, I took that command and I executed it on my linux terminal. So, executing the command lines above I can do anything as root and of course, you can encrypt the password with different plugins within Jenkins even you can set password vault.

I have only added --become --extra-vars "ansible_become_pass=$BECOMEPASS"


Important:
Note that you do not need to specify some parameter like become, become_method, become_user, etc. within the ansible playbook.

--------------- begin playbook example ---------------
---
- name: Remote script execution
hosts: ServerName or IP address
gather_facts: False
vars:
ansible_python_interpreter: /usr/bin/python
tasks:

--------------- end playbook example ---------------


Thank you @bonnevil for you time, thanks to everyone.

0 Kudos
Join the discussion
You must log in to join this conversation.