unable become root using rootsh (wrapper for shells)

[UnixArena]

SUMMARY

Unable to become a root where the environment uses rootsh (wrapper shell) method to gain root access.

ISSUE TYPE

• Feature Idea
  Allow multiple methods or custom methods to gain the root access

COMPONENT NAME

become
become_flags

ADDITIONAL INFORMATION

We are gaining the root access using the following method.
# sudo -H rootsh

When we need to run command without gaining the root shell ,
# sudo -H rootsh -i -u root -- ls -l

[ansibot]

Files identified in the description:

• lib/ansible/modules/commands/shell.py
• lib/ansible/parsing/utils/yaml.py
• lib/ansible/playbook/become.py

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

[bcoca]

afaik, rootsh is not privilege escalation, just a 'logging shell', you can set the default executable to enforce using it https://docs.ansible.com/ansible/latest/reference_appendices/config.html#default-executable

[ansibot]

Files identified in the description:

• lib/ansible/playbook/become.py

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

[pborowicz]

I was able to get this working by changing these lines in my ansible.cfg:

become_method=doas
ssh_args = -o ServerAliveInterval=50
sudo_exe = "sudo -H -S -n rootsh --"

It also worked with just a "sudo rootsh"

[fedexin40]

Hello @pborowicz @bcoca @sivel

I am trying to accomplish similar task, in my case I only have access as root with below command
sudo /usr/bin/rootsh -i -u root

I do not have doas installed in my server so I tried in the followig ways to gain access as root

host_key_checking             = false
# ask_pass                    = True
inventory                     = inventory/hosts
allow_world_readable_tmpfiles = true
remote_user                   = fcruzloz
executable                    = sudo /usr/bin/rootsh -i -u root
timeout                       = 50

And

host_key_checking             = false
# ask_pass                    = True
inventory                     = inventory/hosts
allow_world_readable_tmpfiles = true
remote_user                   = fcruzloz
executable                    = /bin/bash
timeout                       = 50


[privilege_escalation]
become_exe                    = sudo rootsh
become_user                   = root
become_flags                  = -i

But it does not work, all the time I receive from server that I am not allowed to run commands as sudo, so do you have some suggestion?

[ansibot]

Thank you very much for your submission to Ansible. It means a lot to us that you've taken time to contribute.

Unfortunately, this issue has been open for some time while waiting for a contributor to take it up but there does not seem to have been anyone that did so. So we are going to close this issue to clear up the queues and make it easier for contributors to browse possible implementation targets.

However, we're absolutely always up for discussion. Because this project is very active, we're unlikely to see comments made on closed tickets and we lock them after some time. If you or anyone else has any further questions, please let us know by using any of the communication methods listed in the page below:

• https://docs.ansible.com/ansible/latest/community/communication.html

In the future, sometimes starting a discussion on the development list prior to proposing or implementing a feature can make getting things included a little easier, but it's not always necessary.

Thank you once again for this and your interest in Ansible!

click here for bot help