Is it safe to edit /etc/sudoers with the Ansible “lineinfile” module?

前端 未结 5 2464
长情又很酷
长情又很酷 2021-02-20 04:08

I want to change sudo session timeout according to this answer. I can edit ordinary file:

lineinfile:
  path: /etc/sudoers
  regexp: ^Defaults  env_reset
  line:         


        
5条回答
  •  你的背包
    2021-02-20 04:27

    There's a safenet option for such cases: validate.

    The validation command to run before copying into place. The path to the file to validate is passed in via '%s' which must be present as in the example below. The command is passed securely so shell features like expansion and pipes won't work.

    If you look at the examples section of lineinfile module, you'll see exactly what you need:

    # Validate the sudoers file before saving
    - lineinfile:
        path: /etc/sudoers
        state: present
        regexp: '^%ADMIN ALL='
        line: '%ADMIN ALL=(ALL) NOPASSWD: ALL'
        validate: '/usr/sbin/visudo -cf %s'
    

提交回复
热议问题