this post was submitted on 14 Jun 2023
7 points (100.0% liked)

Selfhosted

40329 readers
410 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Is there a good way to use the "become: yes" for the needed escalation to sudo for a handful of commands which need it while limiting the user's access to passwordless root? I've added this line to /etc/sudoers.d/$USER

(username) ALL=(ALL:ALL) NOPASSWD: /usr/sbin/omv-upgrade, /usr/sbin/reboot

Which should allow my user to use the omv-upgrade script (which does some apt stuff) without a password prompt for sudo. This allows it to perform the needed apt commands for an upgrade without actually giving full apt access to install whatever. Likewise with reboot, though I'm not sure which command ansible will actually try with these:

    - name: Check if a reboot is required.
      ansible.builtin.stat:
        path: /var/run/reboot-required
        get_md5: no
      register: reboot_required_file

    - name: Reboot the server (if required).
      ansible.builtin.reboot:
      when: reboot_required_file.stat.exists == true

I presume it's that reboot, but maybe it'll try the systemctl one instead. Is there a better method to give the user the needed passwordless sudo actions without the security risk of opening everything up to that user (which I don't want to do at all)

top 2 comments
sorted by: hot top controversial new old
[–] exu@feditown.com 2 points 1 year ago

Am I understanding correctly, that you want to execute only some tasks with sudo and the rest without elevating privileges?

In that case, you can just put become: yes into the tasks you want to execute with privileges. Remove the become: yes at the top of your playbook.

Something like this.

    - name: Check if a reboot is required.
      ansible.builtin.stat:
        path: /var/run/reboot-required
        get_md5: no
      register: reboot_required_file

    - name: Reboot the server (if required).
      ansible.builtin.reboot:
      when: reboot_required_file.stat.exists == true
      become: yes
[–] eddie@fig.systems 1 points 1 year ago

We solved this with a local service account that has sudo permissions. You can try become_user and become just on the task as needed.

become_user

set to user with desired privileges — the user you become, NOT the user you login as. Does NOT imply become: true, to allow it to be set at host level. Default value is root.