Menu

Subscribe

Ansible - modifying sudoers

Ansible - modifying /etc/sudoers

I have locked administrators out of using sudo with a simple typo.

With ansible you can lockup sudo on every machine with a single error. So I get pretty cautious with editing /etc/sudoers through any deployment application.

Here is a quick example of going overboard to protect your sudoers file when using ansible. This is in my $ANSIBLE_DIR/roles/common/tasks/main.yml file

- name: Copy sudoers for safety
  command: cp /etc/sudoers /etc/sudoers.tmp

- name: Create sudoers.bak
  command: cp /etc/sudoers /etc/sudoers.bak

- name: Ensure admin group is in sudoers with NOPASSWD
  lineinfile: "dest=/etc/sudoers.tmp state=present regexp='^%admin ' line='%admin ALL=(ALL) NOPASSWD: ALL' validate='visudo -cf %s'"
  register: sudoers_tmp_ok

- name: Copy sudoers.tmp to sudoers
  when: sudoers_tmp_ok|success
  command: cp /etc/sudoers.tmp /etc/sudoers

Enjoy

-geoff-

Geoff McNamara

"Do not meddle in the affairs of wizards, for they are subtle and quick to anger.” J.R.R Tolkien

Elizabeth City, NC https://www.companionway.net

Credits: