Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sudoers failures should include stderr #9674

Open
1 task done
mmodenesi opened this issue Feb 2, 2025 · 2 comments
Open
1 task done

sudoers failures should include stderr #9674

mmodenesi opened this issue Feb 2, 2025 · 2 comments
Labels
bug This issue/PR relates to a bug module module plugins plugin (any type)

Comments

@mmodenesi
Copy link

Summary

Suppose I want to add a silly sudoer rule such as

user: tom
nopassword: false
name: example
commands:
  - crontab

The validation with visudo will fail because crontab is not a fully qualified path. That (very useful) information is given through stderr

> /home/svc_ansible/.ansible/tmp/ansible-tmp-1738427894.098165-503-126840258439154/debug_dir/ansible_collections/community/general/plugins/modules/sudoers.py(249)validate()
-> if rc != 0:
(Pdb) rc
1
(Pdb) check_command
['/sbin/visudo', '-c', '-f', '-']
(Pdb) stdout
''
(Pdb) stderr
'stdin:1:18: expected a fully-qualified path name\ntom ALL=NOEXEC: crontab\n                 ^~\n'

But the user will just be shown the stdout (in this case, that's empty) as per

community.general/plugins/modules/sudoers.py

Line 249 in 7a6125b

raise Exception('Failed to validate sudoers rule:\n{stdout}'.format(stdout=stdout))

Ending up with

"msg": "Failed to validate sudoers rule:\n"

I'm not sure if a simple replacement of stdout -> stderr would be the right fix, I don't know under how many conditions, and different validation methods, and different failure types this is supposed to work. Probably a good solution would involve presenting both stdout and stderr.

Issue Type

Bug Report

Component Name

sudoers

Ansible Version

controller@b2f077ad286d:~/ansible$ ansible --version
ansible [core 2.18.2]
  config file = /home/controller/ansible/ansible.cfg
  configured module search path = ['/home/controller/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/controller/.local/lib/python3.12/site-packages/ansible
  ansible collection location = /home/controller/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/controller/.local/bin/ansible
  python version = 3.12.8 (main, Jan 24 2025, 19:38:26) [GCC 12.2.0] (/usr/local/bin/python3.12)
  jinja version = 3.1.5
  libyaml = True

Community.general Version

controller@b2f077ad286d:~/ansible$ ansible-galaxy collection list community.general

# /home/controller/.local/lib/python3.12/site-packages/ansible_collections
Collection        Version
----------------- -------
community.general 10.3.0

Configuration

controller@b2f077ad286d:~/ansible$ ansible-config dump --only-changed
CONFIG_FILE() = /home/controller/ansible/ansible.cfg
DEFAULT_HOST_LIST(/home/controller/ansible/ansible.cfg) = ['/home/controller/ansible/inventory']
DEFAULT_PRIVATE_KEY_FILE(/home/controller/ansible/ansible.cfg) = /home/controller/.ssh/id_rsa_ansible
DEFAULT_REMOTE_USER(/home/controller/ansible/ansible.cfg) = svc_ansible
DEFAULT_ROLES_PATH(/home/controller/ansible/ansible.cfg) = ['/home/controller/ansible/roles']
HOST_KEY_CHECKING(/home/controller/ansible/ansible.cfg) = False
INTERPRETER_PYTHON(/home/controller/ansible/ansible.cfg) = auto_silent

OS / Environment

Both the controller and managed node are docker containers from python:3.12-bookworm

controller@b2f077ad286d:~/ansible$ cat /etc/os-release 
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

Steps to Reproduce

- name: Grant sudo capabilities
  become: true
  community.general.sudoers:
    noexec: false
    user: tito
    nopassword: false
    name: example
    commands:
      - crontab

Expected Results

TASK [users : Grant sudo capabilities] ********************************************************
fatal: [managed_py312]: FAILED! => {"changed": false, "msg": "Failed to validate sudoers rule:\nstdin:1:11: expected a fully-qualified path name\ntom ALL= crontab\n          ^~~~~~~\n"}

Actual Results

TASK [users : Grant sudo capabilities] **************************************************************************************
fatal: [managed_py312]: FAILED! => {"changed": false, "msg": "Failed to validate sudoers rule:\n"}

Code of Conduct

  • I agree to follow the Ansible Code of Conduct
@ansibullbot
Copy link
Collaborator

Files identified in the description:

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

@ansibullbot
Copy link
Collaborator

cc @JonEllis
click here for bot help

@ansibullbot ansibullbot added bug This issue/PR relates to a bug module module plugins plugin (any type) labels Feb 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue/PR relates to a bug module module plugins plugin (any type)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mmodenesi @ansibullbot