Is there a good way to use the “become: yes” for the needed escalation to sudo for a handful of commands which need it while limiting the user’s access to passwordless root? I’ve added this line to /etc/sudoers.d/$USER

(username) ALL=(ALL:ALL) NOPASSWD: /usr/sbin/omv-upgrade, /usr/sbin/reboot

Which should allow my user to use the omv-upgrade script (which does some apt stuff) without a password prompt for sudo. This allows it to perform the needed apt commands for an upgrade without actually giving full apt access to install whatever. Likewise with reboot, though I’m not sure which command ansible will actually try with these:

    - name: Check if a reboot is required.
      ansible.builtin.stat:
        path: /var/run/reboot-required
        get_md5: no
      register: reboot_required_file

    - name: Reboot the server (if required).
      ansible.builtin.reboot:
      when: reboot_required_file.stat.exists == true

I presume it’s that reboot, but maybe it’ll try the systemctl one instead. Is there a better method to give the user the needed passwordless sudo actions without the security risk of opening everything up to that user (which I don’t want to do at all)

  • exu@feditown.com
    link
    fedilink
    English
    arrow-up
    2
    ·
    2 years ago

    Am I understanding correctly, that you want to execute only some tasks with sudo and the rest without elevating privileges?

    In that case, you can just put become: yes into the tasks you want to execute with privileges. Remove the become: yes at the top of your playbook.

    Something like this.

        - name: Check if a reboot is required.
          ansible.builtin.stat:
            path: /var/run/reboot-required
            get_md5: no
          register: reboot_required_file
    
        - name: Reboot the server (if required).
          ansible.builtin.reboot:
          when: reboot_required_file.stat.exists == true
          become: yes