Ansible - modifying sudoers

...avoid locking yourself out

Posted by geoffm on Monday, January 1, 0001

Ansible - modifying /etc/sudoers

I have locked administrators out of using sudo with a simple typo.

With ansible you can lockup sudo on every machine with a single error. So I get pretty cautious with editing /etc/sudoers through any deployment application.

Here is a quick example of going overboard to protect your sudoers file when using ansible. This is in my $ANSIBLE_DIR/roles/common/tasks/main.yml file

- name: Copy sudoers for safety
  command: cp /etc/sudoers /etc/sudoers.tmp
  • name: Create sudoers.bak command: cp /etc/sudoers /etc/sudoers.bak

  • name: Ensure admin group is in sudoers with NOPASSWD lineinfile: "dest=/etc/sudoers.tmp state=present regexp='^%admin ' line='%admin ALL=(ALL) NOPASSWD: ALL' validate='visudo -cf %s'" register: sudoers_tmp_ok

  • name: Copy sudoers.tmp to sudoers when: sudoers_tmp_ok|success command: cp /etc/sudoers.tmp /etc/sudoers

Enjoy

-geoff-


comments powered by Disqus