Open vaygr opened 10 months ago
Files identified in the description:
lib/ansible/playbook/become.py
If these files are incorrect, please update the component name
section of the description or use the !component
bot command.
Files identified in the description:
If these files are incorrect, please update the component name
section of the description or use the !component
bot command.
cc @JoergFiedler @MacLemon @bcoca @dch @eest @jasperla @mekanix @opoplawski @overhacked @tuxillo click here for bot help
!component =plugins/become/doas.py
Files identified in the description:
If these files are incorrect, please update the component name
section of the description or use the !component
bot command.
cc @None click here for bot help
is 'persist' set in the doas config?
Yes.
It also doesn't matter. As the password should be handed over transparently. It works fine over SSH even without persist
. As it does with sudo
and su
become methods.
~im going to guess doas changed and is not using stdout/stderr to prompt?~
doas (user@host) password:
is exactly what you are getting?
code matches:
'doas \(' 'Password:
try setting the prompt_l10n
option
Tried that, same issue. Played around with that option for su
as well, works as expected.
As I mentioned, the same version of doas over SSH works just fine.
b_output
is empty on a local connection, and not when connected via SSH. Checked it with:
$ ansible -Kb --become-method doas -m command -a "id" …
Also yes, unlike su
it's not using stdout/stderr to prompt on a local connection.
that was not the case before, iirc it used to use stderr, but if it is bypassing that the local plugin won't be able to see the prompt. ssh plugin sees it cause even if they bypass stdout/stderr on the remote, once tunneled through ssh it appears the same as if they didn't.
I think this use-case was never tested. https://github.com/Duncaen/OpenDoas/issues/33#issuecomment-691025263 suggests doas never supported std I/O.
How can it be solved in Ansible?
i.e. is it possible to simulate non-tty behavior without touching code in https://github.com/ansible/ansible/blob/devel/lib/ansible/plugins/connection/local.py#L117-L150 ?
Not the same, Ansible is working more like 'expect' in this case than a pipe, it writes directly to the file descriptor.
This was tested and working at one point, at least when doas was in core, though it was only tested against FreeBSD at the time.
can you check if this patch fixes it?
index 69e730aad..3bc568d81 100644
--- a/plugins/become/doas.py
+++ b/plugins/become/doas.py
@@ -89,6 +89,7 @@ from ansible.plugins.become import BecomeBase
class BecomeModule(BecomeBase):
name = 'community.general.doas'
+ require_tty = True
# messages for detecting prompted password issues
fail = ('Permission denied',)
Tried that back then, unfortunately no.
Summary
Become with
doas
works fine on ssh connections, but using local connection it doesn't, forcing a password prompt for every task in the playbook.Issue Type
Bug Report
Component Name
doas
Ansible Version
Community.general Version
Configuration
N/A
OS / Environment
Manjaro Linux
Steps to Reproduce
Expected Results
Actual Results
Code of Conduct