使用 Ansible “lineinfile"编辑/etc/sudoers 是否安全?模块? [英] Is it safe to edit /etc/sudoers with the Ansible "lineinfile" module?
问题描述
我想根据 this 答案更改 sudo 会话超时.我可以编辑普通文件:
I want to change sudo session timeout according to this answer. I can edit ordinary file:
lineinfile:
path: /etc/sudoers
regexp: ^Defaults env_reset
line: Defaults env_reset,timestamp_timeout=60
但是在我的 /etc/sudoers
的第一行写: # 这个文件必须以 root 的身份使用 'visudo' 命令进行编辑.
如何处理它?
附注
尽管简短的回答是肯定的,但您必须阅读Konstantin Suvorov 的答案,了解使用 的正确方法lineinfile
和非常有趣的 techraf 回答关于这种方式可能存在的陷阱
But in first line of my /etc/sudoers
written: # This file MUST be edited with the 'visudo' command as root.
How to deal with it?
P.S.
Despite the fact that the short answer is yes, one must read Konstantin Suvorov answer about right way to do it with lineinfile
and very interesting techraf answer about possible pitfalls on this way
推荐答案
如果您已经测试过语法正确,那就安全了.
鼓励 visudo
的目的是防止某人通过创建无效的 /etc/sudoers
来阻止自己管理系统,无论是打字错误还是想法.
The point of encouraging visudo
is to prevent someone from locking themselves out from administering a system by creating an invalid /etc/sudoers
, whether by a typo or a thinko.
当您使用 Ansible 执行编辑时,您可以测试执行该编辑的代码,以使用您的实际配置文件、环境和 sudo
版本在滚动之前执行正确的操作出去.因此,人们对手工输入拼写错误或语法错误的担忧并不直接相关.
When you're using Ansible to perform an edit, you can test the code performing that edit to do the right thing with your actual config files, environment, and version of sudo
before you roll it out. Thus, the concerns about people making a typo or a syntax error by hand aren't immediately relevant.
这篇关于使用 Ansible “lineinfile"编辑/etc/sudoers 是否安全?模块?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!