since I am noob in terms of Ansible/Semaphore I will need help. I have followed installation of Semaphore from this link: Semaphore installation on RL8
The service is running and I have created users in Semaphore WebGUI. Some of users are set as admin and the rest were not.
What it bugs me, when my colleague developer wanted to create a playbook and as a test set command (locally) to write a single file where he should not be allowed to (mounted NFS dataset and folder which only certain users have access to). The task was completed and file was written in that folder without errors or warnings about permission.
What is very interesting the file was written as "root" and group "root"...?!?!?
Why is Ansible writing files as a root user? From my understanding, it shouldn't be doing that but as a user running that playbook, right? If you need privilege escalation, you have boolean parameter "become" and also "become_user" where you defined which user you want to run that specific command.
How can I prevent ansible from running as "root" and being able to do the damage?
ansible.cfg
# Since Ansible 2.12 (core):
# To generate an example config file (a "disabled" one with all default settings, commented out):
# $ ansible-config init --disabled > ansible.cfg
#
# Also you can now have a more complete file by including existing plugins:
# ansible-config init --disabled -t all > ansible.cfg
# For previous versions of Ansible you can check for examples in the 'stable' branches of each version
# Note that this file was always incomplete and lagging changes to configuration settings
# for example, for 2.9: https://github.com/ansible/ansible/blob/stable-2.9/examples/ansible.cfg
[defaults]
host_key_checking = false
hosts
- all commented
roles folder
- empty
Semaphore config
config.json
{
"mysql": {
"host": "127.0.0.1:3306",
"user": "root",
"pass": "xxxxxxxxxxxx",
"name": "ansible-db",
"options": null
},
"bolt": {
"host": "",
"user": "",
"pass": "",
"name": "",
"options": null
},
"postgres": {
"host": "",
"user": "",
"pass": "",
"name": "",
"options": null
},
"dialect": "mysql",
"port": "",
"interface": "",
"tmp_path": "/opt/semaphore",
"cookie_hash": "xxxxxxxxxxxxxx=",
"cookie_encryption": "xxxxxxxxxxxxxx=",
"access_key_encryption": "xxxxxxxxxxxxxxx=",
"email_sender": "",
"email_host": "",
"email_port": "",
"email_username": "",
"email_password": "",
"ldap_binddn": "",
"ldap_bindpassword": "",
"ldap_server": "",
"ldap_searchdn": "",
"ldap_searchfilter": "",
"ldap_mappings": {
"dn": "",
"mail": "",
"uid": "",
"cn": ""
},
"telegram_chat": "",
"telegram_token": "",
"max_parallel_tasks": 0,
"email_alert": false,
"email_secure": false,
"telegram_alert": false,
"ldap_enable": false,
"ldap_needtls": false,
"ssh_config_path": "",
"demo_mode": false
}
Oh, one thing worth mentioning. The access is "wrapped" by nginx proxy so the access point is not 3000 but plain old 80, but this should not affect any permissions or how ansible is doing background work.
server {
listen 80;
server_name cyclops.hll.mpg.de;
client_max_body_size 0;
chunked_transfer_encoding on;
location / {
proxy_pass "http://127.0.0.1:3000/";
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_request_buffering off;
proxy_buffer_size 16k;
proxy_busy_buffers_size 24k;
proxy_buffers 64 4k;
}
location /api/ws {
proxy_pass "http://127.0.0.1:3000/api/ws";
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Origin "";
}
I hope someone can tell me what is the cause for ansible by defaut using root user instead of running user...
the issue is your Service Definition. This is running in the Background as root. I have this changed for me to my own User, who also exist on all my Nodes.
Start first of all from a Terminal and deactivate the Service First, or add:
TECIO is my User and was also the User who was executing the Setup in my case.
Dont forget: sudo rm -d -r /tmp/semaphore/
For me it was not possible to switch with remote_user or whatever exist to a other User. (Almalinux in my Case)