使用命令sudo rootsh -i -u root成为成为用户

时间:2019-10-09 23:47:29

标签: ansible

我对如何以root用户运行命令有疑问。该剧本非常简单,创建一个文件夹,然后更改所有者和组

  - name: install-home-db | Create scatch directory only if it is needed
    become: yes
    file:
      path: "{{ scratch_patch }}/oracle_{{ db_version | replace('.', '_') }}"
      mode: 775
      owner: "{{ oracle_user }}"
      group: "{{ oracle_group }}"
      state: directory
    register: oracle_medias

创建文件夹后出现问题,当要设置用户和组时出现问题

在远程服务器中,我没有运行任何sudo命令的权限,但是如果启动命令,我可以成为root用户

sudo rootsh -i -u root

请注意,如果仅使用此命令,则只能运行root用户

sudo rootsh -u root

它不起作用并返回

Sorry, user fcruzloz is not allowed to execute '/usr/bin/rootsh -u root' as root on dcplnx22121944.

那么我该如何使用root用户运行命令? 我尝试在ansible.cfg

中设置以下参数
[defaults]
host_key_checking             = false
# ask_pass                    = True
inventory                     = inventory/hosts
allow_world_readable_tmpfiles = true
remote_user                   = fcruzloz
executable                    = /bin/bash
timeout                       = 50


[privilege_escalation]
become_exe                    = sudo rootsh
become_user                   = root
become_flags                  = -i

但是它仍然失败,因为权限,当用-vvv运行ansible命令时,我认为罪魁祸首是在下一行

<2a00:da9:2:21ca:111:0:427:1> SSH: EXEC ssh -o ControlMaster=no -o ServerAliveInterval=50 -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="fcruzloz"' -o ConnectTimeout=50 -tt 2a00:da9:2:21ca:111:0:427:1 '/bin/bash -c '"'"'sudo rootsh -i  -u root /bin/bash -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-eybzqcaxfeytghcwykijkpeqdlpzphdq ; /usr/bin/python /home/admin/fcruzloz/.ansible/tmp/ansible-tmp-1570663425.52-9612101629719/AnsiballZ_file.py'"'"'"'"'"'"'"'"' && sleep 0'"'"''
Escalation succeeded

检查/ var / log / messages中的错误时,这很有意义

2019-10-09T16:24:15.472458-07:00 dcplnx22121944 sudo: fcruzloz : command not allowed ; TTY=pts/14 ; PWD=/home/admin/fcruzloz ; USER=root ; COMMAND=/usr/bin/rootsh -i -u root /bin/bash -c echo BECOME-SUCCESS-eybzqcaxfeytghcwykijkpeqdlpzphdq ; /usr/bin/python /home/admin/fcruzloz/.ansible/tmp/ansible-tmp-1570663425.52-9612101629719/AnsiballZ_file.py
2019-10-09T16:24:15.625928-07:00 dcplnx22121944 sshd[16027]: Connection closed by 2a00:da9:ffa0:8601::2

如果我直接在服务器中运行ansible命令,则表示类似以下内容(这不是完全相同的命令),它将失败

fcruzloz@dcplnx22121944:/home/admin/fcruzloz> sudo rootsh -i  -u root /bin/bash -c 'echo test'
Sorry, user fcruzloz is not allowed to execute '/usr/bin/rootsh -i -u root /bin/bash -c echo test' as root on dcplnx22121944.

我想我需要做一些类似的操作,例如将命令重定向到新的root shell,但是我无法做到这一点,我尝试使用openvt,但没有得到它

那么您有什么主意吗? 在此先感谢您的帮助

我的控制机制低于linux风格

NAME="SLES"
VERSION="12-SP2"
VERSION_ID="12.2"
PRETTY_NAME="SUSE Linux Enterprise Server 12 SP2"
ID="sles"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:12:sp2"
SUSE Linux Enterprise Server 12 (x86_64)
VERSION = 12
PATCHLEVEL = 2

1 个答案:

答案 0 :(得分:0)

您是否尝试过'成为用户'

  become: yes
  become_method: su
  become_user: root

请参阅link,以了解Ansible中的特权升级方法。