{{tag>ansible sudo bash Wrapper CA}}

= Ansible sudo su become method

N'est pas autorisé
<code bash>
sudo -u testplop ls
</code>

Mais est autorisé :
<code bash>
sudo su - testplop
</code>


''/etc/sudoers.d/userc1''
<code bash>
User_Alias      USER_T_USERC1=userc1

Cmnd_Alias      CMND_USERC1=/bin/su - oracle, \
                        /bin/su - testplop

Defaults:CMND_USERC1 !requiretty

USER_T_USERC1     ALL= EXEC: NOPASSWD: CMND_USERC1
</code>


Alors que ça serait tellement plus propre de faire :
<code bash>
Runas_Alias RUNAS_DBA_ALL = oracle, testplop
#USER_T_USERC1 ALL= (testplop) EXEC: NOPASSWD: ALL
USER_T_USERC1 ALL= (RUNAS_DBA_ALL) EXEC: NOPASSWD: ALL
</code>


== Solution 1

Utiliser le become plugin **community.general.sudosu**


Pas applicable dans notre cas, et nous avons l'erreur :
<code ->
fatal: [test-ansible]: FAILED! => {"msg": "Missing community.general.sudosu password"}
</code>


Car si il est possible de faire :
<code bash>
sudo su - testplop
</code>

Il n'est pas possible de faire :
<code bash>
sudo su -l testplop -c 'ls'
</code>

Il faudrait la conf sudoers suivantes :

<code bash>
Cmnd_Alias      CMND_USERC1=/bin/su -l oracle *, \
                        /bin/su -l testplop *
</code>

Cela n'est pas sans poser des problèmes de sécurité.

Voici la conf

<code bash>
ansible-galaxy collection install community.general
</code>


''play.yml''
<code yaml>

#!/usr/bin/ansible-playbook
---

- name: test sudosu
  hosts: srvtest
  gather_facts: false
  become_method: community.general.sudosu
  become_user: testplop
  become: true

  tasks:

    - name: test
      command: id
      register: cmd_ls

    - name: test
      debug:
        var: cmd_ls.stdout_lines
</code>


== Solution 2


Source : https://github.com/ansible/ansible/issues/12686


''/usr/local/bin/sudosu.sh''
<code bash>
#!/bin/bash
#
#sudosu.sh "user" -c "cmd"

if [ $# -lt 3 ]; then
    echo 'Not enough arguments: sudosu.sh "user" -c "cmd"' >&2
    exit 1
fi

if [ x"-c" != x"$2" ]; then
    echo 'Wrong 2nd arg: sudosu.sh "user" -c "cmd"' >&2
    exit 1
fi

printf '%s\n' "$3" | sudo su - "$1"
</code>

''play.yml''
<code yaml>
#!/usr/bin/ansible-playbook
---

- name: test
  hosts: test-ansible
  gather_facts: false
  become_method: su
  # become_flags: "su -c"
  # become_flags: "-H -S -n"   # default value
  become_exe: /usr/local/bin/sudosu.sh
  become_user: testplop
  become: true

  tasks:

    - name: test
      command: id
      register: cmd_ls
</code>      


== Autres

<code bash>
ansible-doc -t become -l
</code>