Ansible 非 root sudo 用户并“成为"用户权限提升 [英] Ansible non-root sudo user and "become" privilege escalation

查看:28
本文介绍了Ansible 非 root sudo 用户并“成为"用户权限提升的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我已经为一个拥有 sudo 权限的用户 david 设置了一个框.我可以通过 ssh 进入该框并执行诸如 apt-get install 之类的 sudo 操作.当我尝试使用 Ansible 的成为特权升级"来做同样的事情时,我收到一个 permission denied 错误.所以一个简单的剧本可能是这样的:

simple_playbook.yml:

---- 名称:测试...主持人:全部变成:真的成为用户:大卫成为方法:sudo任务:- 名称:例如只是想安装 sqlite3...apt:名称=sqlite3 状态=存在

我使用以下命令运行此剧本:

ansible-playbook -i inventory simple_playbook.yml --ask-become-pass

这给了我一个输入密码的提示,我给出了密码,然后我收到了以下错误(缩写):

fatal: [123.45.67.89]: 失败!=>{...失败:E:无法打开锁定文件/var/lib/dpkg/lock - open (13:权限被拒绝)\nE: 无法锁定管理目录(/var/lib/dpkg/), 你是 root 吗?\n", ...}

为什么我的权限被拒绝?

其他信息

我正在运行 Ansible 2.1.1.0 并针对 Ubuntu 16.04 机器.如果我按照 Ansible < 使用 remote_usersudo 选项v1.9,它工作正常,像这样:<代码>远程用户:大卫须藤:是的

更新

本地和远程用户名相同.为了让它工作,我只需要指定 become: yes (见@techraf 的回答):

解决方案

为什么我的权限被拒绝?

因为 APT 需要 root 权限(请参阅错误:你是 root 吗?)并且您以 david 的身份运行任务.

根据这些设置:

变为:true成为用户:大卫成为方法:sudo

Ansible 使用 sudo 方法变成 david.它基本上以 sudo david 开头运行其 Python 脚本.

<小时><块引用>

远程盒子上的用户 'david' 具有 sudo 权限.

这意味着 david 可以使用 sudo-executable 执行命令(部分或全部),以更改子进程的有效用户(命令).如果未提供用户名,则此过程将作为 root 帐户运行.

比较这两个命令的结果:

$ sudo whoami根$ 须藤大卫 whoami大卫

<小时>

回到 APT 问题,您(来自 CLI)以及 Ansible(使用您的帐户通过 SSH 连接)需要运行:

sudo apt-get install sqlite3

不是:

sudo david apt-get install sqlite3

这将失败并显示 Ansible 非常准确的消息.

<小时>

以下剧本将默认升级到 root 用户:

---- 名称:测试...主持人:全部变成:真的任务:- 名称:例如只是想安装 sqlite3...apt:名称=sqlite3 状态=存在

I've set up a box with a user david who has sudo privileges. I can ssh into the box and perform sudo operations like apt-get install. When I try to do the same thing using Ansible's "become privilege escalation", I get a permission denied error. So a simple playbook might look like this:

simple_playbook.yml:

---
- name: Testing...
  hosts: all
  become: true
  become_user: david
  become_method: sudo

  tasks:
    - name: Just want to install sqlite3 for example...
      apt: name=sqlite3 state=present

I run this playbook with the following command:

ansible-playbook -i inventory simple_playbook.yml --ask-become-pass

This gives me a prompt for a password, which I give, and I get the following error (abbreviated):

fatal: [123.45.67.89]: FAILED! => {...
failed: E: Could not open lock file /var/lib/dpkg/lock - open (13: 
Permission denied)\nE: Unable to lock the administration directory
(/var/lib/dpkg/), are you root?\n", ...}

Why am I getting permission denied?

Additional information

I'm running Ansible 2.1.1.0 and am targeting a Ubuntu 16.04 box. If I use remote_user and sudo options as per Ansible < v1.9, it works fine, like this: remote_user: david sudo: yes

Update

The local and remote usernames are the same. To get this working, I just needed to specify become: yes (see @techraf's answer):

解决方案

Why am I getting permission denied?

Because APT requires root permissions (see the error: are you root?) and you are running the tasks as david.

Per these settings:

become: true
become_user: david
become_method: sudo

Ansible becomes david using sudo method. It basically runs its Python script with sudo david in front.


the user 'david' on the remote box has sudo privileges.

It means david can execute commands (some or all) using sudo-executable to change the effective user for the child process (the command). If no username is given, this process runs as the root account.

Compare the results of these two commands:

$ sudo whoami
root
$ sudo david whoami
david


Back to the APT problem, you (from CLI) as well as Ansible (connecting with SSH using your account) need to run:

sudo apt-get install sqlite3

not:

sudo david apt-get install sqlite3

which will fail with the very exact message Ansible displayed.


The following playbook will escalate by default to the root user:

---
- name: Testing...   
  hosts: all
  become: true

  tasks:
    - name: Just want to install sqlite3 for example...
      apt: name=sqlite3 state=present

这篇关于Ansible 非 root sudo 用户并“成为"用户权限提升的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆