3

I have to administer some half-managed servers (monstly CentOS 6), where we are only allowed to login as a regular user, then do "sudo su -" and type the regular user password, and then run the commands within the root shell. I have been searching how to do this with some configuration management tools (ansible, capistrano, etc.), but haven't found anything. Any experience with a similar situation? I have to say we are NOT able/allowed to change the allowed sudo commands, so it's mandatory that the tools use "sudo su -" and the run the appropiate commands. Also, we are not allowed to install any software in the machines (yes, it is a very restrictive client), so all commands must be run using ssh and password authentication.

Regards and thanks in advance.

okelet
  • 161
  • 5
  • 3
    So you can't modify what commands you can use with sudo, but sudo su is allowed? What? – MDMarra Jan 02 '15 at 20:54
  • Yes, we have root permissions using sudo su -, but we are not allowed to do any substantial change in the systems, just verify the services are working, apply some patches, etc. – okelet Jan 02 '15 at 21:00
  • 1
    Can you at least put a wrapper script that you can run with ansible's `sudo_exe` option and convert the execution to `sudo su - -c ...` (exercise for the reader: handle all the options ansible might use on sudo) or no changes to the server at all? – DerfK Jan 02 '15 at 21:18
  • It looks like the [playbooks for ansible](http://docs.ansible.com/playbooks_intro.html) support destination users in sudo – Aaron Jan 02 '15 at 21:24
  • please share the relevant section of your `/etc/sudoers`. – tedder42 Jan 02 '15 at 21:29
  • @tedder42 The line in sudoers with the user we use is "myuser ALL=/bin/su -". – okelet Jan 02 '15 at 22:16
  • @DerfK, unfortunately, I think the previous sudoers line doesn't allow to pass additional parameters to the su command (-c ....); the behaviour should be open a new shell using sudo and then run the needed commands... Too much tricky? – okelet Jan 02 '15 at 22:16
  • @okelet unless there's something specifying `!su - -c` that sudoers line should allow any command **starting** with `/bin/su -` – DerfK Jan 02 '15 at 22:21
  • that sudoers line is really strange. really strange. it defeats the purpose of sudo. – tedder42 Jan 03 '15 at 01:02
  • This is the same on my company. I think they want to avoid scripting into 'sudo' which is exactly what ansible is doing. This effectively blocks ansible from being usable in this type of installation. Of course, being root via "sudo su -", you can do whatever you want, but it's probably against policy to circumvent this while in that capacity. – Quartz Oct 20 '15 at 17:25

2 Answers2

2

Change privilage escalation in ansible.cfg:

[privilege_escalation]
become_exe='sudo su -'

Documentation here

Josh Zhang
  • 159
  • 9
0

If you have sudo, you can use Fabric for code deployments (and use it to hook into git), installing and removing software (though I guess you won't need that functionality), create/remove users, and other uses like that. It's not as feature rich as configuration management software like Puppet, but you can get a lot done with it, and it's reasonably quick and easy to learn.

  • 2
    The OP doesn't have `sudo` but `sudo su -`. The latter is a a major PITA for automation, appearantly internal rules prohibit from changing that setting (even if it would be technically possible) – Martin M. Jan 13 '15 at 13:26