Is it safe to edit /etc/sudoers with the Ansible "lineinfile" module?

There's a safenet option for such cases: validate.

The validation command to run before copying into place. The path to the file to validate is passed in via '%s' which must be present as in the example below. The command is passed securely so shell features like expansion and pipes won't work.

If you look at the examples section of lineinfile module, you'll see exactly what you need:

# Validate the sudoers file before saving
- lineinfile:
    path: /etc/sudoers
    state: present
    regexp: '^%ADMIN ALL='
    line: '%ADMIN ALL=(ALL) NOPASSWD: ALL'
    validate: '/usr/sbin/visudo -cf %s'

I think what you are missing is that in order to edit /etc/sudoers you need sudo-access. To do this in Ansible, you just need to add the become flag.

name: Change Sudo Timeout
become: yes
lineinfile:
  path: /etc/sudoers
  regexp: ^Defaults  env_reset
  line: Defaults  env_reset,timestamp_timeout=60

While this answer defines things correctly and this one provides a mitigation to potential problems, let's look at your code.

You ask Ansible to (potentially) replace the line defined in the following way:

regexp: ^Defaults  env_reset

This is clearly a bad practice and if repeated for a parameter other than Defaults in sudoers file, it is likely to cause a critical problem.


Generally Defaults is the configuration parameter and env_reset is one of possible values.

You cannot assume that the actual configuration file will always contain ^Defaults env_reset string.

If there was a different value set, the regexp wouldn't match and you'd end up adding a second line starting with Defaults.


So the proper way to use lineinfile is to use regexp argument to match only the configuration parameter, not its value. In your case:

regexp: ^Defaults
line: Defaults  env_reset,timestamp_timeout

The other potential pitfall is that sudoers contain sections which should be written in proper order. If the file you modify does not contain the line specified by the regular expression, lineinfile will add a new line to the end of the file, where it might get ignored, or result in an error (but that should be discovered by validation), and most likely cause confusion if human looked at the file later. So it might be wise to specify insertafter or insertbefore.


It's safe if you've tested the syntax to be correct.

The point of encouraging visudo is to prevent someone from locking themselves out from administering a system by creating an invalid /etc/sudoers, whether by a typo or a thinko.

When you're using Ansible to perform an edit, you can test the code performing that edit to do the right thing with your actual config files, environment, and version of sudo before you roll it out. Thus, the concerns about people making a typo or a syntax error by hand aren't immediately relevant.

Tags:

Ansible