explicit 'become: False' in task 'Ensure local backup directory exists' about ansible-sudoers HOT 9 CLOSED

Should be live on Ansible Galaxy now as version 2.0.3 @soloradish @pjattke

from ansible-sudoers.

Can confirm that the version released on ansible-galaxy also works flawless. Thank you!

from ansible-sudoers.

I also faced the same issue – I think local sudo privileges are not needed anyway. I would be happy to see this change integrated into master. Would that be possible @ahuffman?

from ansible-sudoers.

1. Would changing the default sudoers_backup_path to ~/sudoers_backups resolve the issue if we set become: False on this task? I believe we have the become in there because the backup path is relative to the local ansible control node playbook directory, and would require privilege to write there if running as a non-root user.

2. Another solution we could add is a sudoer_backup_become var and you can configure as you wish.

Let me know what makes more sense, but I think I'm probably leaning towards option 2.

from ansible-sudoers.

@soloradish @pjattke can you test out https://github.com/ahuffman/ansible-sudoers/tree/sudoers_backup_become and let me know if this works for you?

from ansible-sudoers.

@ahuffman Thanks for looking into that! The solution that I have applied so far is simply setting become: False in the respective task that keeps failing (of course, on a local copy of your role):

 - name: "Ensure local backup directory exists"
   file:
     state: "directory"
     path: "{{ sudoers_backup_path }}"
     mode: "0755"
   delegate_to: "localhost"
   connection: "local"
+  become: False                    <<< added line
   when:
     - "sudoers_backup | bool"
     - "sudoers_backup_path != ''"

However, I can see that this makes things less flexible and thus I think that your proposed solution 2) would be better suited. I have tested the sudoers_backup_become branch. However, I get the following error message even though I have defined sudoer_backup_become: False:

fatal: [hostA]: FAILED! => {
    "msg": "failed to transfer file to /etc/sudoers /Users/patrick/git/<redacted>/ansible/backups/host123/sudoers-backups/host123/etc/sudoers:
             dd: failed to open '/etc/sudoers': Permission denied"
}

I think this is because you also use this variable to define become in the task named Backup sudoers file. On the remote, however, sudo permissions are always required to allow reading the sudoers file. Therefore, I think that the change in this line should be reverted.

I would be happy to test again after you made this change. Thanks a lot!

from ansible-sudoers.

@pjattke give it a shot now, restored the backup task (fetch module) to become: True.

from ansible-sudoers.

@ahuffman Works now — thanks a lot for fixing. Will this change also be available on ansible-galaxy?

from ansible-sudoers.

yes, going to get everything fixed up shortly. Thanks for validating for me.

from ansible-sudoers.