I'm trying to achieve the following with ansible
adduser test <-- ok and works on linux machine and works with ansible
su test <-- works on linux machine, but fails with ansible. I get incorrect password message
cp loc1/testfile.txt loc2/testfile.txt && echo "hello" > testfile.txt
--- - name: This is a hello-world example hosts: all tasks: - name: create a passwordless test user action: user name=test state=present become: yes become_user: root - name: Create a file called '/tmp/testfile.txt' with the content 'hello' using test user. copy: content: hello dest: /tmp/testfile.txt owner: test group: test become_user: test
primary conditions:
at a moment of execution the file testfile.txt is already created on linux machine and has a group root and user root. I want to override the file and assign different user and group.
I've tried various combination, including
copy: content: hello dest: /tmp/testfile.txt owner: test group: test become: yes become_user: test
copy: content: hello dest: /tmp/testfile.txt owner: test group: test become: yes become_user: test become_method: su
copy: content: hello dest: /tmp/testfile.txt owner: test group: test become: yes
copy: content: hello dest: /tmp/testfile.txt owner: test group: test become_user: test become_method: su
always getting a message about the password being incorrect. The awkward moment is that test user has no password
What am I doing wrong?
Updates:
Tried this
How to achieve sudo su - <user> and run all command in ansible <-- does not work
Found an answer - it is not possible
https://devops.stackexchange.com/questions/3588/how-do-you-simulate-sudo-su-user-in-ansible
What is the point?
to cite from Quora (source: https://www.quora.com/What-is-advantage-of-creating-passwordless-user-in-Linux)
I presume you mean processes such as a webserver, running as the "apache" user with a locked password (shadow entry of '!!').
This is for security, in case a vulnerability is discovered in the server code. Prior to the year 2000 or so, it was common for servers to run as the root user, particularly as this privilege is required to open network sockets on privileged ports (below 1024), such as 53 (DNS) or 80 (HTTP). As I recall, high-profile breaches of the bind and sendmail servers caused developers to re-think this strategy. Since then, services are started with root privilege, the socket opened, and then privilege is dropped to a non-privileged user ID such as "apache" or "named". This needs no password, since it is never intended that anyone login. Rather, a process running as root executes a setuid() system call to change effective user ID to this user. In the event of a security breach, an attacker will be limited to the access lists of this user; for instance, a vulnerable CGI script on a webserver would be able to access the /tmp directory as the "apache" user, but be unable to read /etc/shadow for instance, or to write an extra user into /etc/passwd or modify system binaries in /sbin.
2021: To avoid what is described in "password not being accepted for sudo user with Ansible":
fatal: [testserver]: FAILED! => {"failed": true, "msg": "Incorrect su password"}
You might try using sudo, assuming you have given test user sudo rights:
# Debian systems (Ubuntu / Linux Mint / ElementryOS), add users to the sudo group
sudo usermod -aG sudo username
# On RHEL based systems (Fedora / CentOS), add users to the wheel group
sudo usermod -aG wheel username
Then:
become_user: test
become_method: sudo
Launched with:
ansible-playbook -i inventory simple_playbook.yml --ask-become-pass
And enter the root password.
2024: Zbyl suggests in "Ansible become_user asks for password even though it is configured passwordless" a pipe_to_su script, which allows your remote/login user to execute commands as another user by piping commands to sudo su - <user>.