hammadrauf.sudousers

Panoramica Versioni Approfondimenti

Ansible Role: SudoUsers

This role sets up user accounts from a provided list, granting them sudo permissions on Debian or RHEL-based operating systems. It also adds a NOPASSWD option so that users won’t be prompted for a password.

Requirements

You need a Debian or RHEL-based virtual machine or physical server where the Ansible user has SUDO access, and where Python 3 is installed. The "sudo" package must also be installed.

Role Variables

For the full list, check defaults/main.yml. List of Users:

su_users:
  - username: "{{ su_vault_vmuser1 }}"
    password: "{{ su_vault_vmpwd1 }}"
    is_super_user: true
    sudo_rules: []    
  - username: "{{ su_vault_vmuser2 }}"
    password: "{{ su_vault_vmpwd2 }}"
    is_super_user: false
    sudo_rules:
      - "ALL=(ALL)   NOPASSWD: /usr/bin/su - {{ su_vault_vmuser1 }}"
      - "ALL=(root)   NOPASSWD: /bin/su - {{ su_vault_vmuser1 }}"

In this example, the first user is a Super User with full sudo access. The second user is limited to only switching to the first user with the following command:

sudo su - user1id

Secret usernames and passwords should be saved in 'Secrets.yml'. Use ansible-vault and password hashing. Do not include Secrets.yml in Git or any source control.

su_vault_vmuser1: user01
su_vault_vmpwd1: user01-password-hashed
su_vault_vmuser2: user02
su_vault_vmpwd2: user02-password-hashed

Dependencies

None

Example Playbook

    - hosts: servers
      roles:
         - role: hammadrauf.sudousers

Testing with Molecule

Run Podman instances outside of Molecule/Ansible with these commands:

podman run -d --name debian12 --hostname debian12 -it docker.io/hammadrauf/dockerdeb12:latest sleep infinity & wait
podman run -d --name fedora40 --hostname fedora40 -it docker.io/hammadrauf/fedora40:latest
podman run -d --name ubuntu --hostname ubuntu -it docker.io/hammadrauf/ubuntunoble:latest sleep infinity & wait

Linux User Password Hashing

Ubuntu / Debian

$ sudo apt update
$ sudo apt install whois 
$ mkpasswd --method="sha-512" --salt="Thisisarandomsaltingstring"
Password: 
$6$ieMLxPFShvi6rao9$XEAU9ZDvnPtL.sDuSdRi6M79sgD9254b/0wZvftBNvMOjj3pHJBCIe04x2M.JA7gZ7MwpBWat1t4WQDFziZPw1

CentOS / Fedora

$ sudo dnf install expect
$ mkpasswd --method="sha-512" --salt="Thisisarandomsaltingstring"
Password: 
$6$ieMLxPFShvi6rao9$XEAU9ZDvnPtL.sDuSdRi6M79sgD9254b/0wZvftBNvMOjj3pHJBCIe04x2M.JA7gZ7MwpBWat1t4WQDFziZPw1

License

MIT

Author Information

This role was created on May 10, 2024, by Hammad Rauf.

Informazioni sul progetto

Debian/RHEL creation of Super User with sudo permissions. Also sets the NOPASSWD flag so that Password is not asked on sudo usage.

role superuser sudo linux debian rhel
Installa
ansible-galaxy install hammadrauf.sudousers
GitHub repository
0 stelle
0 fork
0 problemi aperti
Licenza
Unknown
Download
118
Proprietario