Permission error when ansible_user is unpriviliged

Question

Permission error when ansible_user is unpriviliged

ethrgeist opened this issue 2 years ago · 3 comments

Hi,

thanks for this very useful collection, i am currently playing around with it on a few virtual machines, plain Debian 11.

I took your example ca.yml from the README.

- hosts: manager-1
  become: yes
  tasks:
    # Install and initialize the CA server.
    # There are a lot of configuration options, see the step_ca README for details
    - name: Install step-ca
      include_role:
        name: maxhoesel.smallstep.step_ca
      vars:
        step_ca_name: Example CA
        step_ca_root_password: "hunter2"
        step_ca_intermediate_password: "hunter2"
        step_ca_user: "step-ca"

    # The CA root cert fingerprint is used by clients to verify the authenticity of your CA.
    # You can save the output of this task and then pass it on to any client that you want to trust the CA.
    - name: Get root CA fingerprint
      command: 'step-cli certificate fingerprint /etc/step-ca/certs/root_ca.crt'
      register: root_ca_fp
    - name: Show root CA fingerprint
      debug:
        msg: "Fingerprint of root cert: {{ root_ca_fp.stdout }}"

My inventory contains

  vars:
    ansible_user: debian

as i connect as a non-priviliged user and then use become to elevate, root login is disabled.

But roles/step_ca/tasks/init.yml fails with

TASK [maxhoesel.smallstep.step_ca : Initialize CA] ********************************************************************************************************************************************************************************************************************************************
task path: /home/user/.ansible/collections/ansible_collections/maxhoesel/smallstep/roles/step_ca/tasks/init.yml:74
fatal: [manager-1]: FAILED! => {
    "msg": "Failed to set permissions on the temporary files Ansible needs to create when becoming an unprivileged user (rc: 1, err: chmod: invalid mode: ‘A+user:step-ca:rx:allow’\nTry 'chmod --help' for more information.\n}). For information on working around this, see https://docs.ansible.com/ansible-core/2.12/user_guide/become.html#risks-of-becoming-an-unprivileged-user"
}

The error points at https://docs.ansible.com/ansible-core/2.12/user_guide/become.html#risks-of-becoming-an-unprivileged-user

If i enable root login, and overwrite ansible_user: root the role runs fine and everything is set up correctly.

Could you take a look?

Answer 1 · 2023-02-10T14:48:19.000Z

Hi!

Do you have the acl package installed on your Debian hosts? That package allows for more granular filesystem permissions and fixes this issue for me.

The issue here is that the role needs to be run with become: yes, but it also needs to run several CA commands as the CA user, so it uses become_user: {{ step_ca_user}} for those tasks internally.

If you are running as root, this results in the following privilege escalation chain, which works fine:

Connection: root
become: yes: still root
become_user: {{ step_ca_user }}: switch to step-ca or whatever your CA user is

But if you are connecting as a non-privileged user, the chain instead is:

Connection: admin
become: yes: switch from admin to root
become_user: {{ step_ca_user }}: switch from admin to root and then to step-ca.

And as the article above explains, Ansible can't do so securely without additional help.
The acl package is the easiest workaround for this.

Answer 2 · 2023-04-22T19:55:10.000Z

Thank you, this solved it for me.

I added

   - name: Install acl
    # https://github.com/maxhoesel-ansible/ansible-collection-smallstep/issues/250
      ansible.builtin.apt:
        name: acl

as a first task and it works

Answer 3 · 2023-05-04T17:46:37.000Z

Glad to hear that! Closing this as resolved