Ansible权限升级变得没有-u标志
没有Ansible权限升级变得没有-u标志,ansible,Ansible,没有-u标志(sudo su-test\u user而不是sudo su-u test\u user)如何成为某个用户 目录(主机) ansible.cfg: [defaults] timeout=30 [privilege_escalation] become_method="sudo" become_flags="su" 在目标机器上: $ sudo -l User foo may run the following commands on test0001: (root) N
-usudo su-test\u usersudo su-u test\u user[defaults]
timeout=30
[privilege_escalation]
become_method="sudo"
become_flags="su"
$ sudo -l
User foo may run the following commands on test0001:
(root) NOPASSWD: /bin/su test_user
<test0001> (0, b'', b'')
<test0001> ESTABLISH SSH CONNECTION FOR USER: None
<test0001> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=30 -o ControlPath=/home/foo/.ansible/cp/c7eeb339b6 -tt test0001 '/bin/sh -c '"'"'sudo su -u test_user /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-geolooxawvydfclkjnetjajadmffqjvz ; /usr/bin/python /var/tmp/ansible-tmp-1578410709.7699296-180938533114945/AnsiballZ_setup.py'"'"'"'"'"'"'"'"' && sleep 0'"'"''
fatal: [test0001]: FAILED! => {
"msg": "Timeout (32s) waiting for privilege escalation prompt: \r\nWe trust you have received the usual lecture from the local System\r\nAdministrator. It usually boils down to these three things:\r\n\r\n #1) Respect the privacy of others.\r\n #2) Think before you type.\r\n #3) With great power comes great responsibility.\r\n\r\n"
}
(0,b'',b'')
为用户建立SSH连接:无
SSH:EXEC SSH-C-o ControlMaster=auto-o ControlPersist=60s-o KbdInteractiveAuthentication=no-o PreferredAuthentications=gssapi with mic,gssapi-keyex,hostbased,publickey-o PasswordAuthentication=no-o ConnectTimeout=30-o ControlPath=/home/foo/.ansible/cp/c7eeb339b6-tt test0001'/bin/sh-C''sudo su-u-u-test'u user/bin/sh/sh-sh-C''“echo获得成功Geolouxawvydfclkjnetjadmffqjvz/usr/bin/python/var/tmp/ansible-tmp-1578410709.76996-180938533114945/AnsiballZ_setup.py''''''和睡眠0'''
致命:[test0001]:失败!=>{
“msg”:“等待权限提升提示超时(32秒):\r\n我们相信您已经收到了本地系统管理员的常规讲座。\r\n通常归结为以下三件事:\r\n\r\n\1)尊重他人的隐私。\r\n\2)打字前要三思。\r\n\3)权力越大,责任越大。\r\n\r\n”
}
sudo su-u test\u usertest\u用户。实际上,我希望它变成test\u user
,使用sudo su test\u user
(因此没有-u
标志)。如何告知ansible不包含-u
标志
请注意,我无法更改sudoers文件。尝试限制ansible用户在升级权限无效时可以运行的命令。这是您可以在文档中找到的已知限制:。您可以在“我不试图限制ansible用户在升级权限时可以运行的命令”中找到更详细的解释。我希望我的剧本中的所有命令都以某个用户的身份运行。你在评论中的解释与你问题中的sudo-l
的输出不一致。您将用户foo
限制为只能运行/bin/su test\u user
。如上所述,这根本不可能奏效。我认为您误解了sudo-l
所显示的内容。它显示某个用户可以使用sudo
运行的命令。请注意,我删除了文件中包含的所有其他不必要的信息(例如我可以使用sudo
运行的与此问题无关的其他命令)。我只想表明我可以通过sudo su test\u user
而不是sudo su-u test\u user
(ansible尝试这么做)。我了解到的是,你正在通过用户foo
连接到你的遥控器,你想成为test\u user
。您限制了foo
可以运行到/bin/su test\u user
的升级命令(可能还有一些您在问题中没有显示的其他命令)。由于特权升级必须是一般性的,正如我在第一个链接中所解释的,这将不起作用。
<test0001> (0, b'', b'')
<test0001> ESTABLISH SSH CONNECTION FOR USER: None
<test0001> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=30 -o ControlPath=/home/foo/.ansible/cp/c7eeb339b6 -tt test0001 '/bin/sh -c '"'"'sudo su -u test_user /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-geolooxawvydfclkjnetjajadmffqjvz ; /usr/bin/python /var/tmp/ansible-tmp-1578410709.7699296-180938533114945/AnsiballZ_setup.py'"'"'"'"'"'"'"'"' && sleep 0'"'"''
fatal: [test0001]: FAILED! => {
"msg": "Timeout (32s) waiting for privilege escalation prompt: \r\nWe trust you have received the usual lecture from the local System\r\nAdministrator. It usually boils down to these three things:\r\n\r\n #1) Respect the privacy of others.\r\n #2) Think before you type.\r\n #3) With great power comes great responsibility.\r\n\r\n"
}