使用 Ansible “lineinfile"编辑/etc/sudoers 是否安全?模块? [英] Is it safe to edit /etc/sudoers with the Ansible "lineinfile" module?

问题描述

我想根据 this 答案更改 sudo 会话超时.我可以编辑普通文件:

I want to change sudo session timeout according to this answer. I can edit ordinary file:

lineinfile:
  path: /etc/sudoers
  regexp: ^Defaults  env_reset
  line: Defaults  env_reset,timestamp_timeout=60

但是在我的 /etc/sudoers 的第一行写: # 这个文件必须以 root 的身份使用 'visudo' 命令进行编辑. 如何处理它?
附注
尽管简短的回答是肯定的，但您必须阅读Konstantin Suvorov 的答案，了解使用 的正确方法lineinfile 和非常有趣的 techraf 回答关于这种方式可能存在的陷阱

But in first line of my /etc/sudoers written: # This file MUST be edited with the 'visudo' command as root. How to deal with it?
P.S.
Despite the fact that the short answer is yes, one must read Konstantin Suvorov answer about right way to do it with lineinfile and very interesting techraf answer about possible pitfalls on this way

推荐答案

如果您已经测试过语法正确，那就安全了.

鼓励 visudo 的目的是防止某人通过创建无效的 /etc/sudoers 来阻止自己管理系统，无论是打字错误还是想法.

The point of encouraging visudo is to prevent someone from locking themselves out from administering a system by creating an invalid /etc/sudoers, whether by a typo or a thinko.

当您使用 Ansible 执行编辑时，您可以测试执行该编辑的代码，以使用您的实际配置文件、环境和 sudo 版本在滚动之前执行正确的操作出去.因此，人们对手工输入拼写错误或语法错误的担忧并不直接相关.

When you're using Ansible to perform an edit, you can test the code performing that edit to do the right thing with your actual config files, environment, and version of sudo before you roll it out. Thus, the concerns about people making a typo or a syntax error by hand aren't immediately relevant.

这篇关于使用 Ansible “lineinfile"编辑/etc/sudoers 是否安全?模块?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！