我正在尝试按照教程设置一个 ansible 用户。他们将 ansible 用户的 NOPASSWD 设置为 ALL,这样他们就可以-become
在需要时随时获取 root 权限,而无需密码。
我尝试做同样的事情,但长期以来无法得到相同的结果。运行 CentOS 8,visudo 文件中的以下行:
## Same thing without a password
%wheel ALL=(ALL) NOPASSWD: ALL
ansible ALL=(ALL) NOPASSWD: ALL
cloud_user ALL=(ALL) NOPASSWD: ALL
由于 root 登录受到限制,我使用 cloud_user 进行登录,但我仍然需要 root 才能通过 ansible 安装软件。我在互联网上浏览了列表中用户的顺序,但正如您所看到的,cloud_user 是最后一个,并且在文件中再也没有提到过。我想这应该允许我在没有密码的情况下使用root。
问题是在 sudo 命令中仍然提示 cloud_user 输入密码,并且 ansible 提示“缺少 sudo 密码”。
sudo -ll
输出:
Sudoers entry:
RunAsUsers: ALL
Options: !authenticate
Commands:
ALL
Sudoers entry:
RunAsUsers: ALL
Options: !authenticate
Commands:
ALL
Sudoers entry:
RunAsUsers: ALL
Options: !authenticate
Commands:
ALL
Sudoers entry:
RunAsUsers: ALL
Commands:
ALL
Sudoers entry:
RunAsUsers: ALL
Commands:
ALL
Sudoers entry:
RunAsUsers: ALL
Commands:
ALL
Sudoers entry:
RunAsUsers: ALL
Commands:
ALL
Sudoers entry:
RunAsUsers: ALL
Commands:
ALL
Sudoers entry:
RunAsUsers: ALL
Commands:
ALL
Sudoers entry:
RunAsUsers: ALL
Commands:
ALL
Sudoers entry:
RunAsUsers: ALL
Commands:
ALL
Sudoers entry:
RunAsUsers: ALL
Commands:
ALL
Sudoers entry:
RunAsUsers: ALL
Commands:
ALL
Sudoers entry:
RunAsUsers: ALL
Commands:
ALL
Sudoers entry:
RunAsUsers: ALL
Commands:
ALL
sudo -l -U cloud_user
输出:
Matching Defaults entries for cloud_user on [host name]:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY
HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User cloud_user may run the following commands on [host name]:
(ALL) NOPASSWD: ALL
(ALL) NOPASSWD: ALL
(ALL) NOPASSWD: ALL
(ALL) ALL
(ALL) ALL
(ALL) ALL
(ALL) ALL
(ALL) ALL
(ALL) ALL
(ALL) ALL
(ALL) ALL
(ALL) ALL
(ALL) ALL
(ALL) ALL
(ALL) ALL
sudo cat /var/log/secure | grep cloud_user
输出:
Aug 27 13:23:11 localhost sshd[6222]: pam_unix(sshd:session): session opened for user cloud_user by (uid=0)
Aug 27 13:23:40 localhost sudo[6270]: cloud_user : TTY=pts/0 ; PWD=/home/cloud_user ; USER=root ; COMMAND=/bin/ls /root
Aug 27 13:23:40 localhost sudo[6270]: pam_unix(sudo:session): session opened for user root by cloud_user(uid=0)
Aug 27 13:24:03 localhost sudo[6291]: cloud_user : TTY=pts/0 ; PWD=/home/cloud_user ; USER=root ; COMMAND=/bin/cat /var/log/secure
Aug 27 13:24:03 localhost sudo[6291]: pam_unix(sudo:session): session opened for user root by cloud_user(uid=0)
答案1
如果多个配置行与请求的命令匹配cloud_user
,则最后一行获胜。不/etc/sudoers.d/90-cloud-init-users
匹配的行将覆盖包含.cloud_user
NOPASSWD
NOPASSWD
的内容/etc/sudoers.d
包含在主配置中的or指令sudoers
处(正确的语法取决于 的版本)。配置行的顺序很重要:您可以依次使用添加 sudoers 行以使其生效#includedir /etc/sudoers.d
@includedir /etc/sudoers.d
sudo
visudo -f /etc/sudoers.d/91-my-customizations
后那些由cloud-init
.
另外,检查/etc/sudo.conf
可能的插件或替代配置源。云提供商可能添加了一些自己的定制以确保他们的自动化始终能够完成其工作。