All geek questions in one place

Is it safe to edit / etc / sudoers with the Ansible "lineinfile" module?

I want to change the sudo session timeout according to this answer. I can edit a regular file:

lineinfile: path: /etc/sudoers regexp: ^Defaults env_reset line: Defaults env_reset,timestamp_timeout=60

But the first line of my /etc/sudoers says: # This file MUST be edited with the 'visudo' command as root. How to deal with it?
PS
Despite the fact that the short answer is yes, you need to answer Konstantin Suvorov about the right way to do this with lineinfile and a very interesting techraf about possible traps along the way

+5
source share
5 answers

It is safe if you check the syntax is correct.

visudo 's point of encouragement is to prevent anyone from blocking themselves from administering the system by creating invalid /etc/sudoers , whether it is a typo or thinko.

When you use Ansible to perform editing, you can test the code that performs this editing to work properly with your actual configuration files, environment, and sudo version before you roll it back. Thus, the problems that people make a typo or a syntax error manually do not have a direct meaning.

+5
source

In such cases, the safenet: validate option exists.

Verification command to run before copying into place. The path to the file for verification is passed through "% s", which must be present, as in the example below. The command is transmitted reliably, so shell functions such as expansion and pipes will not work.

If you look at the section of the lineinfile module examples , you will definitely see what you need:

 # Validate the sudoers file before saving - lineinfile: path: /etc/sudoers state: present regexp: '^%ADMIN ALL=' line: '%ADMIN ALL=(ALL) NOPASSWD: ALL' validate: '/usr/sbin/visudo -cf %s'
+8
source

While this answer identifies things correctly, and this one mitigates potential problems, take a look at your code.

You ask Ansible (possibly) to replace the string defined as follows:

 regexp: ^Defaults env_reset

This is clearly a bad practice, and if it is repeated for a parameter other than Defaults in the sudoers file, this can cause a critical problem.

Normally, Defaults is a configuration parameter, and env_reset is one of the possible values.

You cannot assume that the actual configuration file will always contain the string ^Defaults env_reset .

If a different value was specified, the regex will not match, and you will add a second line starting with Defaults .

Thus, the correct way to use lineinfile is to use the regexp argument to match only the configuration parameter, not its value. In your case:

 regexp: ^Defaults line: Defaults env_reset,timestamp_timeout

Another potential error is that sudoers contain sections that must be written in the correct order. If the file you are lineinfile does not contain the line specified in the regular expression, lineinfile will add a new line to the end of the file, where it may be ignored or lead to an error (but this should be detected by checking), and most likely cause confusion. if a person looks at the file later. Therefore, it would be advisable to specify insertafter or insertbefore .

+4
source

I think you are missing the fact that you need sudo-access to edit /etc/sudoers . To do this in Ansible, you just need to add the flag to become.

 name: Change Sudo Timeout become: yes lineinfile: path: /etc/sudoers regexp: ^Defaults env_reset line: Defaults env_reset,timestamp_timeout=60
+1
source

Instead of directly editing /etc/sudoers you can put the desired setting in the /etc/sudoers.d directory as follows:

 - name: Change sudo session timeout lineinfile: dest: /etc/sudoers.d/ssh_session_timeout line: 'Defaults env_reset,timestamp_timeout=60K' create: yes owner: root group: root mode: "0440" state: present validate: 'visudo -c -f %s'
0
source

Source: https://habr.com/ru/post/1272572/

More articles:


All Articles