Ansible

Ansible Sudoers

One of the most common tasks for any system administrator is configuration management. Configuration management can be very challenging when managing a wide variety of hosts. Therefore, most sys admins turn to automation tools such as Ansible for help.

One often overlooked yet vital part of system configuration is managing the user privileges—precisely, who can execute which commands as the superuser on a system. This is where the sudoers file, and by extension, the Ansible “community.general.sudoers” module.

In this tutorial, we will learn how to leverage the sudoers module in Ansible to manage the sudoers file in Unix-like systems.

What Are Sudoers?

Let us start by defining the sudoers file.

In Linux and other Unix-based systems, the sudo utility is a command that allows a permitted user to run a command as the root or other users in the system.

The rules and policies of who can run what commands are defined in the sudoers file are typically located in /etc/sudoers.

Therefore, the role of the sudoers file is to determine who can run what commands and on which machines.

As you can guess, the sudoers file is critical to the security of a system, and misconfigurations can lead to system compromise. This is where the tools like Ansible can assist in minimizing such risks.

Ansible Sudoers Module

In the Ansible galaxy, we have the “community.general.sudoers” module which offers an automated way of managing the sudoers file. It allows us to quickly and securely manage the sudoers file across multiple systems and remove the errors that can occur from manual editing.

Installing the Sudoers Module

Before we can use the “community.general.sudoers” module, we must first ensure that we have it installed. We can use the following command:

$ ansible-galaxy collection install community.general

Example 1: Adding a User

The first usage of the sudoers module is to grant a given user the ability to run the sudo command:

An example playbook is as follows:

---
- hosts
: all
tasks
:
- name
: Grant user full sudo access
community.general.sudoers
:
name
: linuxhint
nopassword
: yes
state
: present
commands
: /bin/bash

This should grant the Linuxhint user the permission to run the sudo command.

Example 2: Command Specific Access

In some cases, we may only want a specific user to run a given command as root. In Ansible, we can use the sudoers module to do this as follows:

---
- hosts
: all
tasks
:
- name
: Allow user restart the web server
community.general.sudoers
:
name
: nginx
commands
: "/etc/init.d/httpd restart"
state
: present

This allows the Nginx user to restart the Nginx web server.

Example 3: Group Permissions

We can also use the sudoers module to allow the members of a given group to run any commands as root as shown in the following:

---
- hosts
: all
tasks
:
- name
: Grant admins group full sudo access
community.general.sudoers
:
name
: "%admins"
nopassword
: yes
state
: present
commands
: ALL

Conclusion

We learned how to use the community’s Ansible sudoers “module.general” collection to manage the sudoers file in an error-reduced way.

About the author

John Otieno

My name is John and am a fellow geek like you. I am passionate about all things computers from Hardware, Operating systems to Programming. My dream is to share my knowledge with the world and help out fellow geeks. Follow my content by subscribing to LinuxHint mailing list