Is it safe to edit /etc/sudoers with the Ansible "lineinfile" module?
There's a safenet option for such cases: validate
.
The validation command to run before copying into place. The path to the file to validate is passed in via '%s' which must be present as in the example below. The command is passed securely so shell features like expansion and pipes won't work.
If you look at the examples section of lineinfile module, you'll see exactly what you need:
# Validate the sudoers file before saving
- lineinfile:
path: /etc/sudoers
state: present
regexp: '^%ADMIN ALL='
line: '%ADMIN ALL=(ALL) NOPASSWD: ALL'
validate: '/usr/sbin/visudo -cf %s'
I think what you are missing is that in order to edit /etc/sudoers
you need sudo-access. To do this in Ansible, you just need to add the become flag.
name: Change Sudo Timeout
become: yes
lineinfile:
path: /etc/sudoers
regexp: ^Defaults env_reset
line: Defaults env_reset,timestamp_timeout=60
While this answer defines things correctly and this one provides a mitigation to potential problems, let's look at your code.
You ask Ansible to (potentially) replace the line defined in the following way:
regexp: ^Defaults env_reset
This is clearly a bad practice and if repeated for a parameter other than Defaults
in sudoers
file, it is likely to cause a critical problem.
Generally Defaults
is the configuration parameter and env_reset
is one of possible values.
You cannot assume that the actual configuration file will always contain ^Defaults env_reset
string.
If there was a different value set, the regexp wouldn't match and you'd end up adding a second line starting with Defaults
.
So the proper way to use lineinfile
is to use regexp
argument to match only the configuration parameter, not its value. In your case:
regexp: ^Defaults
line: Defaults env_reset,timestamp_timeout
The other potential pitfall is that sudoers
contain sections which should be written in proper order. If the file you modify does not contain the line specified by the regular expression, lineinfile
will add a new line to the end of the file, where it might get ignored, or result in an error (but that should be discovered by validation), and most likely cause confusion if human looked at the file later. So it might be wise to specify insertafter
or insertbefore
.
It's safe if you've tested the syntax to be correct.
The point of encouraging visudo
is to prevent someone from locking themselves out from administering a system by creating an invalid /etc/sudoers
, whether by a typo or a thinko.
When you're using Ansible to perform an edit, you can test the code performing that edit to do the right thing with your actual config files, environment, and version of sudo
before you roll it out. Thus, the concerns about people making a typo or a syntax error by hand aren't immediately relevant.