具有限制性权限的 Ansible sudo [英] Ansible sudo with restrictive permission's

问题描述

我们有一个用例，其中 ssh 用户 test2 被授予运行另一个用户 test3 拥有的特定脚本的权限.以下是 /etc/sudoers 文件中提供的权限.

We have a use case where the ssh user test2 is given permission to run a particular script that is owned by another user test3. Below are the permissions provided in the /etc/sudoers file.

test2 ALL=(test3) NOPASSWD: /home/test3/start.sh

当我们运行 ssh test2@target_host sudo -u test3/home/test3/start.sh

我们想通过 ansible become method:sudo 和 become_user 来执行 ssh 任务，但这是行不通的.我们发现 ansible 在实际执行过程中修改了如下指令，并且永远不会匹配 sudoer 文件的权限.

We wanted to execute the ssh task through ansible become method:sudo and become_user and that never works. what we found is that ansible modifies the instruction's as below during the actual execution and that never matches the permission's on the sudoer's file.

sudo -H -S -n  -u test3 /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-knavgwllrftljavwujkveyjcctlgkbda ; /usr/bin/python /var/tmp/ansible-tmp-1582478029.04-74694013835195/AnsiballZ_command.py'"'"'"'"'"'"'"'"' && sleep 0'"'"''

看起来我们唯一的选择是更新权限，如下所示，但这种授予 test3 用户完整 shell 权限的方式永远不会满足我们的安全要求

it looks like our only option is to update the permission's as below but that sort of gives full shell permission's on the test3 user which will never satisfy our security requirement's

test2 ALL=(test3) NOPASSWD: /bin/sh

之前有人遇到过类似的情况吗?用于受控执行.请注意 test2 和 test3 不是 sudo 用户.

Has someone faced a similar situation like this before? for a controlled execution. Please note test2 and test3 are non sudo user's.

推荐答案

既然你只需要 test2 用户来执行 test3 拥有的那个文件，那么只给test2 读取和执行该文件(及其所在目录)的权限:

Since you only need test2 user to execute that one file owned by test3, how about just giving test2 permission to read and execute that file (and the directory it's in):

setfacl -m u:test2:rx /home/test3
setfacl -m u:test2:rx /home/test3/start.sh

那么，你根本不需要 become 的东西.

Then, you don't need the become stuff at all.

这篇关于具有限制性权限的 Ansible sudo的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！