Permission error when ansible_user is unpriviliged
ethrgeist opened this issue · 3 comments
Hi,
thanks for this very useful collection, i am currently playing around with it on a few virtual machines, plain Debian 11.
I took your example ca.yml
from the README.
- hosts: manager-1
become: yes
tasks:
# Install and initialize the CA server.
# There are a lot of configuration options, see the step_ca README for details
- name: Install step-ca
include_role:
name: maxhoesel.smallstep.step_ca
vars:
step_ca_name: Example CA
step_ca_root_password: "hunter2"
step_ca_intermediate_password: "hunter2"
step_ca_user: "step-ca"
# The CA root cert fingerprint is used by clients to verify the authenticity of your CA.
# You can save the output of this task and then pass it on to any client that you want to trust the CA.
- name: Get root CA fingerprint
command: 'step-cli certificate fingerprint /etc/step-ca/certs/root_ca.crt'
register: root_ca_fp
- name: Show root CA fingerprint
debug:
msg: "Fingerprint of root cert: {{ root_ca_fp.stdout }}"
My inventory contains
vars:
ansible_user: debian
as i connect as a non-priviliged user and then use become
to elevate, root login is disabled.
But roles/step_ca/tasks/init.yml fails with
TASK [maxhoesel.smallstep.step_ca : Initialize CA] ********************************************************************************************************************************************************************************************************************************************
task path: /home/user/.ansible/collections/ansible_collections/maxhoesel/smallstep/roles/step_ca/tasks/init.yml:74
fatal: [manager-1]: FAILED! => {
"msg": "Failed to set permissions on the temporary files Ansible needs to create when becoming an unprivileged user (rc: 1, err: chmod: invalid mode: ‘A+user:step-ca:rx:allow’\nTry 'chmod --help' for more information.\n}). For information on working around this, see https://docs.ansible.com/ansible-core/2.12/user_guide/become.html#risks-of-becoming-an-unprivileged-user"
}
The error points at https://docs.ansible.com/ansible-core/2.12/user_guide/become.html#risks-of-becoming-an-unprivileged-user
If i enable root login, and overwrite ansible_user: root
the role runs fine and everything is set up correctly.
Could you take a look?
Hi!
Do you have the acl
package installed on your Debian hosts? That package allows for more granular filesystem permissions and fixes this issue for me.
The issue here is that the role needs to be run with become: yes
, but it also needs to run several CA commands as the CA user, so it uses become_user: {{ step_ca_user}}
for those tasks internally.
If you are running as root, this results in the following privilege escalation chain, which works fine:
- Connection:
root
become: yes
: stillroot
become_user: {{ step_ca_user }}
: switch tostep-ca
or whatever your CA user is
But if you are connecting as a non-privileged user, the chain instead is:
- Connection:
admin
become: yes
: switch fromadmin
toroot
become_user: {{ step_ca_user }}
: switch fromadmin
toroot
and then tostep-ca
.
And as the article above explains, Ansible can't do so securely without additional help.
The acl
package is the easiest workaround for this.
Thank you, this solved it for me.
I added
- name: Install acl
# https://github.com/maxhoesel-ansible/ansible-collection-smallstep/issues/250
ansible.builtin.apt:
name: acl
as a first task and it works
Glad to hear that! Closing this as resolved