Is it safe to edit /etc/sudoers with the Ansible “lineinfile” module?

Question

I want to change sudo session timeout according to this answer. I can edit ordinary file:

lineinfile:
  path: /etc/sudoers
  regexp: ^Defaults  env_reset
  line:         


        

Answer 1

While this answer defines things correctly and this one provides a mitigation to potential problems, let's look at your code.

You ask Ansible to (potentially) replace the line defined in the following way:

regexp: ^Defaults  env_reset

This is clearly a bad practice and if repeated for a parameter other than Defaults in sudoers file, it is likely to cause a critical problem.

---

Generally Defaults is the configuration parameter and env_reset is one of possible values.

You cannot assume that the actual configuration file will always contain ^Defaults env_reset string.

If there was a different value set, the regexp wouldn't match and you'd end up adding a second line starting with Defaults.

---

So the proper way to use lineinfile is to use regexp argument to match only the configuration parameter, not its value. In your case:

regexp: ^Defaults
line: Defaults  env_reset,timestamp_timeout

---

The other potential pitfall is that sudoers contain sections which should be written in proper order. If the file you modify does not contain the line specified by the regular expression, lineinfile will add a new line to the end of the file, where it might get ignored, or result in an error (but that should be discovered by validation), and most likely cause confusion if human looked at the file later. So it might be wise to specify insertafter or insertbefore.