Pages

Tuesday, 26 November 2019

EX294: Configure privilege escalation on managed nodes

0 Most servers are not allowed to log in as root via SSH

Due to security reasons, most production servers forbid root to login directly via ssh. So hackers cannot guess and test the root password by simple ssh connection.

In the meantime, most tasks of Ansible require root privilege to configure the managed nodes. How to resolve such a conflict?

The answer is privilege escalation. Most Linux users are already familiar with "sudo", one of the privilege escalation methods.

Besides "sudo", there are other methods to get root access, like "su", "pbrun", "dzdo",....
In this blog, we only talk about "sudo" as it's the most common one so far.

1 /etc/sudoers

"sudo"'s configuration file is /etc/sudoers.

# cat /etc/sudoers | grep ansible_user
ansible_user ALL=(ALL) NOPASSWD: ALL

  • 1st ALL: ansible_user can log in from any remote host
  • 2nd ALL: anisble_user can become any user (including root)
  • 3rd ALL: anisble_user can run any command
  • NOPASSWD: ansible_user can become another user without pwd
 It's very uncommon to set sudoers with a password for Ansible users.

2 Test 

2.1 Test with commands

On the manged node, 

$ sudo whoami
root

2.2 Test with Ansible

On the control node:

$ ansible all -i hosts --become --become-method=sudo --become-user=root -a 'whoami'
vm1 | SUCCESS | rc=0 >>
root

3 Privilege escalation configuration for Ansible

Now privilege escalation is ready on managed nodes. What's left is to tell ansible when to use it.
Ansible has multiple places to configure "become". 

3.1 command-line options "--become", "--become_user", "--become_method"

ansible all -i hosts --become --become-method=sudo --become-user=root -a 'whoami'

3.2 variables "ansible_become", "ansible_become_user", "ansible_become_method"

These variables can be put on Inventory file as inventory variables,  and playbooks as normal variables.

3.3 Directives in a playbook, "become", "become_user", "become_method"

These directives can be put at a play or task level.


As there are multiple places to set the same thing, attention must be paid to their conflict and priorities.

Although there are many ways to set "become", the most common one is directives in a playbook.



at

No comments:

Post a Comment