具有限制权限的Ansible sudo [英] Ansible sudo with restrictive permission's

问题描述

我们有一个用例，其中ssh用户test2被授予运行另一个用户test3拥有的特定脚本的权限.以下是/etc/sudoers 文件中提供的权限.

We have a use case where the ssh user test2 is given permission to run a particular script that is owned by another user test3. Below are the permissions provided in the /etc/sudoers file.

test2 ALL=(test3) NOPASSWD: /home/test3/start.sh

当我们运行 ssh test2 @ target_host sudo -u test3/home/test3/start.sh

我们想通过ansible成为 method:sudo 和begin_user来执行ssh任务，但该命令永远无法工作.我们发现，ansible在实际执行过程中会按以下方式修改指令，并且与sudoer文件上的权限永远不匹配.

We wanted to execute the ssh task through ansible become method:sudo and become_user and that never works. what we found is that ansible modifies the instruction's as below during the actual execution and that never matches the permission's on the sudoer's file.

sudo -H -S -n  -u test3 /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-knavgwllrftljavwujkveyjcctlgkbda ; /usr/bin/python /var/tmp/ansible-tmp-1582478029.04-74694013835195/AnsiballZ_command.py'"'"'"'"'"'"'"'"' && sleep 0'"'"''

看来，我们唯一的选择是按如下方式更新权限，但这种方式对test3用户提供了完全的shell权限，这将永远无法满足我们的安全要求

it looks like our only option is to update the permission's as below but that sort of gives full shell permission's on the test3 user which will never satisfy our security requirement's

test2 ALL=(test3) NOPASSWD: /bin/sh

以前有人遇到过类似情况吗?控制执行.请注意，test2和test3是非sudo用户.

Has someone faced a similar situation like this before? for a controlled execution. Please note test2 and test3 are non sudo user's.

推荐答案

由于您只需要 test2 用户来执行 test3 拥有的那个文件，那么仅给出 test2 权限，用于读取和执行该文件(及其所在的目录):

Since you only need test2 user to execute that one file owned by test3, how about just giving test2 permission to read and execute that file (and the directory it's in):

setfacl -m u:test2:rx /home/test3
setfacl -m u:test2:rx /home/test3/start.sh

然后，您完全不需要成为东西.

Then, you don't need the become stuff at all.

这篇关于具有限制权限的Ansible sudo的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！