ansible.posix icon indicating copy to clipboard operation
ansible.posix copied to clipboard

Published 20 hours ago verified publisher icon ansible-collections

Making `ansible.posix.synchronize` elevate permissions on accounts that need sudo password entry

Open markasbach opened this issue 2 years ago • 1 comments

SUMMARY

The current documentation of ansible.posix.synchronize mentions

Currently, synchronize is limited to elevating permissions via passwordless sudo. This is because rsync itself is connecting to the remote machine and rsync doesn't give us a way to pass sudo credentials in.

This is a substantial limitation as it requires to set up passwordless sudo (which is considered a security risk to some) to use this module with become: yes. It would be great to also have it work for accounts that require sudo password entry.

ISSUE TYPE
  • Feature Idea
COMPONENT NAME

ansible.posix.synchronize

ADDITIONAL INFORMATION

The current limitation is due to the fact that ansible.posix.synchronize uses rsync from the target machine and therefore the typical methods to elevate permissions that are implemented in ansible itself cannot be used. The module already uses kind of a trick to gain root privileges on the target machine by telling rsync to use --rsync-path="sudo rsync" which works fine if the account is set up for passwordless sudo. If not, sudo will prompt for the password and the command fails.

If tried to find solutions for the issue and (based on a smart person's idea) found a way to pass the password safely by wrapping the ssh command supplied to rsync via --rsh. This is documented on https://askubuntu.com/a/1397261/874618.

I'll put up a pull request to implement this, but I might need some guidance.

markasbach avatar Mar 12 '22 23:03 markasbach

Could this be looked at?

This issue makes the simple act of copying more than a couple of files to privileged directories on target systems with password-protected sudo insufferable.

Alternatives (for example as described here) are inadequate:

  • ansible.builtin.copy is easily 200x slower than rsync or scp. Copying a directory of, say, 200 small files with a total size of 1MB can take over half an hour.
  • Create a temporary local tarball of the source directory, transferring and unarchiving it to the target directory with ansible.builtin.unarchive and then removing the temporary local tarball again "works", but is an awkward and insufficient workaround, e.g.:
    • not idempotent
    • no integrity checks
    • always a full overwite even if the target directory is identical
    • adds unnecessary delay because the contents of the source directory (possibly on an HDD) first have to be read into a tarball, which then has to be read to be copied to the target, and then has to be read again on the target to be extracted
  • Passwordless sudo may be an acceptable security trade-off in particular cases, but it is often not recommended or outright prohibited.

@markasbach has already provided a fix that looks sane to me (it just expands on how ansible.builtin.synchronize already elevates privileges in case of passwordless sudo).

tdltdc avatar Apr 25 '23 10:04 tdltdc