1

I have to deal with a setup in "/etc/sudoers" that I can't change because the servers in question are managed by a different team and they don't want to change it.

I have root access only by sudoing to another account first. My account is only allowed to run the specific command "sudo su - admin" (no additional arguments can be appended). Then, as user "admin", I can run any root commands normally with sudo (e.g., "sudo vi /etc/shadow", etc.) or open a root shell with "sudo -s" or "sudo su -", etc.

I want to run Ansible ad-hoc commands and playbooks as root (e.g., "become: yes") on these servers from a different server that I control, but it would require that Ansible first run "sudo su - admin", then run the normal "sudo" command.

I know you can create custom become methods. This seems to me the way to solve this problem, but the specific solution is beyond me. Can anyone help with this?

BTW, if it helps, "NOPASSWD:" is set for both my account and "admin" in "/etc/sudoers".

Improve this question
1
  • I did eventually find a way to do this, but it required a custom Ansible become plugin written in python to accomplish.
    – Beam Davis
    Commented Apr 19, 2021 at 8:20

1 Answer 1

Reset to default
1

you can use --become --become-user admin on ansible adhoc or use yaml below on ansible playbook.

  - name: Run a command as nobody
    command: somecommand
    become: yes
    become_user: admin
    become_method: su

if you need spesific become method you can use --become-method su, the default --become-method is sudo.

Improve this answer
1
  • 1
    Wouldn't work for me, because "su" is restricted to the root account only on these servers.
    – Beam Davis
    Commented Apr 19, 2021 at 8:12

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .