search

cdown / ansible-aur

An Ansible module for the pacaur and yaourt package managers.
Other
22 stars 7 forks source link

Automatically become lower-privilege user #3

Open EtiennePerot opened 7 years ago

EtiennePerot commented 7 years ago

Ansible either expects to SSH into machines as root, or to become root after SSHing through some mechanism e.g. sudo.1 However, neither pacaur, yaourt, or makepkg allow executing operations as root.2 This means that the example in README.md currently do not work; they will fail with "you cannot perform this operation as root".

The only way I've found to use ansible-aur in a playbook that also uses other modules (e.g. Ansible's own pacman or package module) requires doing something like this:

- name: install sudo
  package:
    name: sudo
    state: latest
  register: install_sudo

- name: create build user
  user:
    name: pacaur-builder
    ...
  register: create_build_user

- name: allow build user to sudo pacman
  when:
    - install_sudo|succeeded
    - create_builder_user|succeeded
  file:
    path: /etc/sudoers.d/allow-build-user-to-sudo-pacman
    contents: "pacaur-builder ALL=(ALL) NOPASSWD: /usr/bin/pacman"
    ...
  register: allow_build_user_to_sudo_pacman

And then each aur invocation has to include when + become + become_user directives:

- name: install a package example
  when: allow_build_user_to_sudo_pacman|succeeded
  become: yes
  become_user: pacaur-builder
  aur:
    name: my-aur-package

ansible-aur should take care of this extra setup automatically in order to avoid the extra verbosity and to make the examples on README.md work again.

cdown commented 6 years ago

I also use this with become_user. You're right that the readme should be cleared up.

The problem is that we cannot determine which user is suitable for this. We can probably use nobody by default, but I'm very skeptical that changing sudoers is right to do.

If you have a reasonably non-intrusive idea about how to change this, patches welcome. Otherwise, I'm unlikely to work on having ansible-aur directly modify sudoers.

One possibility might be dropping privs to nobody, and only building the package with that, then installing it as root. This doesn't handle problems with AUR dependencies, though, so it's non-trivial.

EtiennePerot commented 6 years ago

You could add a "root_equivalent_build_user" string argument that, if set, creates that user (if it doesn't exist yet) and makes it be able to use sudo without password.

That or edit the README to list the extra steps necessary to set up a user to use the module with.