Ansible - modifying /etc/sudoers
I have locked administrators out of using sudo with a simple typo.
With ansible you can lockup sudo on every machine with a single error. So I get pretty cautious with editing /etc/sudoers through any deployment application.
Here is a quick example of going overboard to protect your sudoers file
when using ansible. This is in my
- name: Copy sudoers for safety command: cp /etc/sudoers /etc/sudoers.tmp - name: Create sudoers.bak command: cp /etc/sudoers /etc/sudoers.bak - name: Ensure admin group is in sudoers with NOPASSWD lineinfile: "dest=/etc/sudoers.tmp state=present regexp='^%admin ' line='%admin ALL=(ALL) NOPASSWD: ALL' validate='visudo -cf %s'" register: sudoers_tmp_ok - name: Copy sudoers.tmp to sudoers when: sudoers_tmp_ok|success command: cp /etc/sudoers.tmp /etc/sudoers