mac-dev-playbook
mac-dev-playbook copied to clipboard
geerlingguy
Add temporary passwordless sudo
The major issue I have with this approach is that if the playbook stops for some reason after it enables the permission, but before it disables it, the system would have passwordless sudo enabled until someone either manually deleted the config, or successfully completes the playbook again.
Understood. But an attacker would need your password anyway to login prior to being able to passwordless sudo.
There would also be an option to use the SUDO_ASKPASS together with the keychain, which would only work to retrieve the password when the keychain is unlocked.
How about this:
- name: Run the .osx dotfiles passwordless.
block:
- name: Add temporary passwordless sudo permissions
ansible.builtin.copy:
content: "{{ ansible_user }} ALL=(ALL) NOPASSWD: ALL"
dest: "/private/etc/sudoers.d/99_tmp_ansible"
validate: /usr/sbin/visudo -csf %s
mode: 0644
become: true
- name: Run .osx dotfiles.
command: "{{ osx_script }}"
changed_when: false
become: false
always:
- name: Remove temporary passwordless sudo permissions
ansible.builtin.file:
path: "/private/etc/sudoers.d/99_tmp_ansible"
state: absent
become: true
In this case it would be cleaned up even if the .osx run fails. That block would also be possible around the necessary parts of the playbook.
This pull request has been marked 'stale' due to lack of recent activity. If there is no further activity, the PR will be closed in another 30 days. Thank you for your contribution!
Please read this blog post to see the reasons why I mark pull requests as stale.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
This pull request has been closed due to inactivity. If you feel this is in error, please reopen the pull request or file a new PR with the relevant details.