Is it safe to edit /etc/sudoers with the Ansible “lineinfile” module?

前端 未结 5 2460
长情又很酷
长情又很酷 2021-02-20 04:08

I want to change sudo session timeout according to this answer. I can edit ordinary file:

lineinfile:
  path: /etc/sudoers
  regexp: ^Defaults  env_reset
  line:         


        
相关标签:
5条回答
  • 2021-02-20 04:27

    There's a safenet option for such cases: validate.

    The validation command to run before copying into place. The path to the file to validate is passed in via '%s' which must be present as in the example below. The command is passed securely so shell features like expansion and pipes won't work.

    If you look at the examples section of lineinfile module, you'll see exactly what you need:

    # Validate the sudoers file before saving
    - lineinfile:
        path: /etc/sudoers
        state: present
        regexp: '^%ADMIN ALL='
        line: '%ADMIN ALL=(ALL) NOPASSWD: ALL'
        validate: '/usr/sbin/visudo -cf %s'
    
    0 讨论(0)
  • 2021-02-20 04:31

    It's safe if you've tested the syntax to be correct.

    The point of encouraging visudo is to prevent someone from locking themselves out from administering a system by creating an invalid /etc/sudoers, whether by a typo or a thinko.

    When you're using Ansible to perform an edit, you can test the code performing that edit to do the right thing with your actual config files, environment, and version of sudo before you roll it out. Thus, the concerns about people making a typo or a syntax error by hand aren't immediately relevant.

    0 讨论(0)
  • 2021-02-20 04:40

    Instead of directly editing the /etc/sudoers you can place your desired setting into the /etc/sudoers.d directory like this:

    - name: Change sudo session timeout
      lineinfile:
        dest: /etc/sudoers.d/ssh_session_timeout
        line: 'Defaults  env_reset,timestamp_timeout=60K'
        create: yes
        owner: root 
        group: root 
        mode: "0440"
        state: present
        validate: 'visudo -c -f %s'
    
    0 讨论(0)
  • 2021-02-20 04:50

    I think what you are missing is that in order to edit /etc/sudoers you need sudo-access. To do this in Ansible, you just need to add the become flag.

    name: Change Sudo Timeout
    become: yes
    lineinfile:
      path: /etc/sudoers
      regexp: ^Defaults  env_reset
      line: Defaults  env_reset,timestamp_timeout=60
    
    0 讨论(0)
  • 2021-02-20 04:51

    While this answer defines things correctly and this one provides a mitigation to potential problems, let's look at your code.

    You ask Ansible to (potentially) replace the line defined in the following way:

    regexp: ^Defaults  env_reset
    

    This is clearly a bad practice and if repeated for a parameter other than Defaults in sudoers file, it is likely to cause a critical problem.


    Generally Defaults is the configuration parameter and env_reset is one of possible values.

    You cannot assume that the actual configuration file will always contain ^Defaults env_reset string.

    If there was a different value set, the regexp wouldn't match and you'd end up adding a second line starting with Defaults.


    So the proper way to use lineinfile is to use regexp argument to match only the configuration parameter, not its value. In your case:

    regexp: ^Defaults
    line: Defaults  env_reset,timestamp_timeout
    

    The other potential pitfall is that sudoers contain sections which should be written in proper order. If the file you modify does not contain the line specified by the regular expression, lineinfile will add a new line to the end of the file, where it might get ignored, or result in an error (but that should be discovered by validation), and most likely cause confusion if human looked at the file later. So it might be wise to specify insertafter or insertbefore.

    0 讨论(0)
提交回复
热议问题