Possible ansible Template issue preventing use of /etc/sudoers.d/deploy for locking down NOPASSWD #1
Assignees
Labels
Comments
ghost
assigned
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently, we set /etc/sudoers.d/deploy to:
deploy ALL=(ALL)NOPASSWD:ALL
which allows the deploy user to run sudo commands without a password prompt
We want to lock this down to specific sudo commands ie:
deploy ALL=(ALL)NOPASSWD:/usr/bin/apt-get,/usr.bin/apt-key
etc.
but it appears that the moment you put a / in the template file
(roles/common/templates/deploy.sudoers)
then the visudo -cf fails to validate the file when the task runs, citing a synax error
if you remove the validation check, indeed the sudoers file is corrupted.
Manually edit the file, by deleting whatever character is at the end of the line, it then validates fine. So I suspect some dodgy unicode character is being inserted by ansible templating - i.e jinja which is causing sudoers to barf.
I will try and see if I can isolate what line endings are being used.
The text was updated successfully, but these errors were encountered: