Ansible, become: yes, and granting access to specific sudo commands without a password
Is there a good way to use the "become: yes" for the needed escalation to sudo for a handful of commands which need it while limiting the user's access to passwordless root? I've added this line to /etc/sudoers.d/$USER
(username) ALL=(ALL:ALL) NOPASSWD: /usr/sbin/omv-upgrade, /usr/sbin/reboot
Which should allow my user to use the omv-upgrade script (which does some apt stuff) without a password prompt for sudo. This allows it to perform the needed apt commands for an upgrade without actually giving full apt access to install whatever. Likewise with reboot, though I'm not sure which command ansible will actually try with these:
- name: Check if a reboot is required.
ansible.builtin.stat:
path: /var/run/reboot-required
get_md5: no
register: reboot_required_file
- name: Reboot the server (if required).
ansible.builtin.reboot:
when: reboot_required_file.stat.exists == true
I presume it's that reboot, but maybe it'll try the systemctl one instead. Is there a better method to give the user the needed passwordless sudo actions without the security risk of opening everything up to that user (which I don't want to do at all)
Am I understanding correctly, that you want to execute only some tasks with sudo and the rest without elevating privileges?
In that case, you can just put
become: yes
into the tasks you want to execute with privileges. Remove thebecome: yes
at the top of your playbook.Something like this.
We solved this with a local service account that has sudo permissions. You can try become_user and become just on the task as needed.
become_user