Ansible - modifying sudoers

...avoid locking yourself out

Posted by geoffm on Friday, April 17, 2015

Ansible - modifying /etc/sudoers

I have locked administrators out of using sudo with a simple typo.

With ansible you can lockup sudo on every machine with a single error. So I get pretty cautious with editing /etc/sudoers through any deployment application.

Here is a quick example of going overboard to protect your sudoers file when using ansible. This is in my $ANSIBLE_DIR/roles/common/tasks/main.yml file

- name: Copy sudoers for safety
  command: cp /etc/sudoers /etc/sudoers.tmp

    

  • 

    name: Create sudoers.bak
command: cp /etc/sudoers /etc/sudoers.bak
    

    • 

  • 

    name: Ensure admin group is in sudoers with NOPASSWD
lineinfile: "dest=/etc/sudoers.tmp state=present regexp='^%admin ' line='%admin ALL=(ALL) NOPASSWD: ALL' validate='visudo -cf %s'"
register: sudoers_tmp_ok
    

    • 

  • 

    name: Copy sudoers.tmp to sudoers
when: sudoers_tmp_ok|success
command: cp /etc/sudoers.tmp /etc/sudoers

Enjoy

-geoff-

comments powered by Disqus
CATALOG
    FEATURED TAGS
    ale awk bottle cms coding convert debug development devops fabric financial grovepi gtoolz history hugo jekyll js linters markdown musings php plugins productivity python raspberry rdp scripting scripts sed sudo templates vaccination vim visudo wsgi xargs