使用Ansible的"lineinfile"编辑/etc/sudoers是否安全?模块? [英] Is it safe to edit /etc/sudoers with the Ansible "lineinfile" module?
问题描述
我想根据此答案更改sudo会话超时.我可以编辑普通文件:
I want to change sudo session timeout according to this answer. I can edit ordinary file:
lineinfile:
path: /etc/sudoers
regexp: ^Defaults env_reset
line: Defaults env_reset,timestamp_timeout=60
但是在我的/etc/sudoers
的第一行中写道:# This file MUST be edited with the 'visudo' command as root.
如何处理?
PS
尽管答案很简单,但必须阅读 Konstantin Suvorov答案关于使用lineinfile
的正确方法关于此方式可能存在的陷阱的非常有趣的 techraf答案
But in first line of my /etc/sudoers
written: # This file MUST be edited with the 'visudo' command as root.
How to deal with it?
P.S.
Despite the fact that the short answer is yes, one must read Konstantin Suvorov answer about right way to do it with lineinfile
and very interesting techraf answer about possible pitfalls on this way
推荐答案
如果您已测试语法正确,则是安全的.
鼓励visudo
的目的是通过创建无效的/etc/sudoers
(无论是拼写错误还是思维问题)来防止某人锁定自己来管理系统.
The point of encouraging visudo
is to prevent someone from locking themselves out from administering a system by creating an invalid /etc/sudoers
, whether by a typo or a thinko.
使用Ansible进行编辑时,可以在推出之前测试执行该编辑的代码,以使用实际的配置文件,环境和sudo
版本进行正确的操作.因此,对人们手工打错或语法错误的担忧不再是直接相关的.
When you're using Ansible to perform an edit, you can test the code performing that edit to do the right thing with your actual config files, environment, and version of sudo
before you roll it out. Thus, the concerns about people making a typo or a syntax error by hand aren't immediately relevant.
这篇关于使用Ansible的"lineinfile"编辑/etc/sudoers是否安全?模块?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!