Ansible, become: yes, and granting access to specific sudo commands without a password

Nitrousoxide@beehaw.org to Selfhosted@lemmy.world – 7 points –

Is there a good way to use the "become: yes" for the needed escalation to sudo for a handful of commands which need it while limiting the user's access to passwordless root? I've added this line to /etc/sudoers.d/$USER

(username) ALL=(ALL:ALL) NOPASSWD: /usr/sbin/omv-upgrade, /usr/sbin/reboot

Which should allow my user to use the omv-upgrade script (which does some apt stuff) without a password prompt for sudo. This allows it to perform the needed apt commands for an upgrade without actually giving full apt access to install whatever. Likewise with reboot, though I'm not sure which command ansible will actually try with these:

    - name: Check if a reboot is required.
      ansible.builtin.stat:
        path: /var/run/reboot-required
        get_md5: no
      register: reboot_required_file

    - name: Reboot the server (if required).
      ansible.builtin.reboot:
      when: reboot_required_file.stat.exists == true

I presume it's that reboot, but maybe it'll try the systemctl one instead. Is there a better method to give the user the needed passwordless sudo actions without the security risk of opening everything up to that user (which I don't want to do at all)

2

Am I understanding correctly, that you want to execute only some tasks with sudo and the rest without elevating privileges?

In that case, you can just put become: yes into the tasks you want to execute with privileges. Remove the become: yes at the top of your playbook.

Something like this.

    - name: Check if a reboot is required.
      ansible.builtin.stat:
        path: /var/run/reboot-required
        get_md5: no
      register: reboot_required_file

    - name: Reboot the server (if required).
      ansible.builtin.reboot:
      when: reboot_required_file.stat.exists == true
      become: yes

We solved this with a local service account that has sudo permissions. You can try become_user and become just on the task as needed.

become_user

set to user with desired privileges — the user you become, NOT the user you login as. Does NOT imply become: true, to allow it to be set at host level. Default value is root.