Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Privilege escallation not working when connection docker #53385

Closed
jojo221119 opened this issue Mar 6, 2019 · 11 comments
Closed

Privilege escallation not working when connection docker #53385

jojo221119 opened this issue Mar 6, 2019 · 11 comments
Labels
affects_2.7 This issue/PR affects Ansible v2.7 cloud docker feature This issue/PR relates to a feature request. support:community This issue/PR relates to code supported by the Ansible community.

Comments

@jojo221119
Copy link

jojo221119 commented Mar 6, 2019
edited

SUMMARY

Ansible become is not working with a user different then root.
Checked with different become methods like here

For become method sudo the error message is:

"module_stderr": "[sudo via ansible, key=ptcnbeweejizxjabgoauixqsqanhxier] password: \n"

ISSUE TYPE
  • Feature Request
COMPONENT NAME

connection docker

ANSIBLE VERSION
ansible 2.7.7
  config file = /net/fe0vmc1258/fs0/develop/htj8fe/ops-tools/ansible_scripts/ansible.cfg
  configured module search path = [u'/local/home/apim_ansible/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /bin/ansible
  python version = 2.7.5 (default, Sep 12 2018, 05:31:16) [GCC 4.8.5 20150623 (Red Hat 4.8.5-36)]
CONFIGURATION
DEFAULT_TIMEOUT(ansible.cfg) = 10
OS / ENVIRONMENT

Ansible host OS RHEL7
Docker container OS Centos7

STEPS TO REPRODUCE

Start an image created by molecule (adds Python and other things to use ansible for containers) and add an additional user with permissions to become root.
Execute the playbook with connection "docker"

---
  - hosts: all
    tasks:

      - name: try become method sudo
        become: yes
        become_method: sudo
        command: whoami
        register: who
        ignore_errors: True

      - debug:
          var: who

      - name: try become method su
        become: yes
        become_method: su
        command: whoami
        register: who
        ignore_errors: True

      - debug:
          var: who

      - name: try become method sudo /bin/su
        become: yes
        become_method: sudo /bin/su -
        command: su - "test" -c whoami
        register: who
        ignore_errors: True

      - debug:
          var: who

      - name: fail
        fail:
EXPECTED RESULTS

Privilege escalation is working without any issue.

ACTUAL RESULTS

ansible-playbook -i hosts test.yml -c docker -vvvv

ansible-playbook 2.7.7
  config file = /net/fe0vmc1258/fs0/develop/htj8fe/ops-tools/ansible_scripts/ansible.cfg
  configured module search path = [u'/local/home/apim_ansible/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /bin/ansible-playbook
  python version = 2.7.5 (default, Sep 12 2018, 05:31:16) [GCC 4.8.5 20150623 (Red Hat 4.8.5-36)]
Using /net/fe0vmc1258/fs0/develop/htj8fe/ops-tools/ansible_scripts/ansible.cfg as config file
setting up inventory plugins
/net/fe0vmc1258/fs0/develop/htj8fe/ops-tools/ansible_scripts/hosts did not meet host_list requirements, check plugin documentation if this is unexpected
/net/fe0vmc1258/fs0/develop/htj8fe/ops-tools/ansible_scripts/hosts did not meet script requirements, check plugin documentation if this is unexpected
Parsed /net/fe0vmc1258/fs0/develop/htj8fe/ops-tools/ansible_scripts/hosts inventory source with ini plugin
Loading callback plugin default of type stdout, v2.0 from /usr/lib/python2.7/site-packages/ansible/plugins/callback/default.pyc

PLAYBOOK: test.yml **************************************************************************************************************************************************************************************************************************
1 plays in test.yml

PLAY [all] **********************************************************************************************************************************************************************************************************************************

TASK [Gathering Facts] **********************************************************************************************************************************************************************************************************************
task path: /net/fe0vmc1258/fs0/develop/htj8fe/ops-tools/ansible_scripts/test.yml:2
<docker_test> ESTABLISH DOCKER CONNECTION FOR USER: apim_ansible
<docker_test> EXEC ['/bin/docker', 'exec', '-u', u'apim_ansible', '-i', u'docker_test', u'/bin/sh', '-c', u"/bin/sh -c 'echo ~apim_ansible && sleep 0'"]
<docker_test> EXEC ['/bin/docker', 'exec', '-u', u'apim_ansible', '-i', u'docker_test', u'/bin/sh', '-c', u'/bin/sh -c \'( umask 77 && mkdir -p "` echo /home/apim_ansible/.ansible/tmp/ansible-tmp-1551868451.82-113832299505192 `" && echo ansible-tmp-1551868451.82-113832299505192="` echo /home/apim_ansible/.ansible/tmp/ansible-tmp-1551868451.82-113832299505192 `" ) && sleep 0\'']
Using module file /usr/lib/python2.7/site-packages/ansible/modules/system/setup.py
<docker_test> PUT /local/home/apim_ansible/.ansible/tmp/ansible-local-60877fNyu7d/tmpSIQUOE TO /home/apim_ansible/.ansible/tmp/ansible-tmp-1551868451.82-113832299505192/AnsiballZ_setup.py
<docker_test> EXEC ['/bin/docker', 'exec', '-u', u'apim_ansible', '-i', u'docker_test', u'/bin/sh', '-c', u"/bin/sh -c 'chmod u+x /home/apim_ansible/.ansible/tmp/ansible-tmp-1551868451.82-113832299505192/ /home/apim_ansible/.ansible/tmp/ansible-tmp-1551868451.82-113832299505192/AnsiballZ_setup.py && sleep 0'"]
<docker_test> EXEC ['/bin/docker', 'exec', '-u', u'apim_ansible', '-i', u'docker_test', u'/bin/sh', '-c', u"/bin/sh -c '/usr/bin/python /home/apim_ansible/.ansible/tmp/ansible-tmp-1551868451.82-113832299505192/AnsiballZ_setup.py && sleep 0'"]
<docker_test> EXEC ['/bin/docker', 'exec', '-u', u'apim_ansible', '-i', u'docker_test', u'/bin/sh', '-c', u"/bin/sh -c 'rm -f -r /home/apim_ansible/.ansible/tmp/ansible-tmp-1551868451.82-113832299505192/ > /dev/null 2>&1 && sleep 0'"]
ok: [docker_test]
META: ran handlers

TASK [try become method sudo] ***************************************************************************************************************************************************************************************************************
task path: /net/fe0vmc1258/fs0/develop/htj8fe/ops-tools/ansible_scripts/test.yml:5
<docker_test> ESTABLISH DOCKER CONNECTION FOR USER: apim_ansible
<docker_test> EXEC ['/bin/docker', 'exec', '-u', u'apim_ansible', '-i', u'docker_test', u'/bin/sh', '-c', u"/bin/sh -c 'echo ~apim_ansible && sleep 0'"]
<docker_test> EXEC ['/bin/docker', 'exec', '-u', u'apim_ansible', '-i', u'docker_test', u'/bin/sh', '-c', u'/bin/sh -c \'( umask 77 && mkdir -p "` echo /home/apim_ansible/.ansible/tmp/ansible-tmp-1551868453.52-32552275530461 `" && echo ansible-tmp-1551868453.52-32552275530461="` echo /home/apim_ansible/.ansible/tmp/ansible-tmp-1551868453.52-32552275530461 `" ) && sleep 0\'']
Using module file /usr/lib/python2.7/site-packages/ansible/modules/commands/command.py
<docker_test> PUT /local/home/apim_ansible/.ansible/tmp/ansible-local-60877fNyu7d/tmp27zHdB TO /home/apim_ansible/.ansible/tmp/ansible-tmp-1551868453.52-32552275530461/AnsiballZ_command.py
<docker_test> EXEC ['/bin/docker', 'exec', '-u', u'apim_ansible', '-i', u'docker_test', u'/bin/sh', '-c', u"/bin/sh -c 'chmod u+x /home/apim_ansible/.ansible/tmp/ansible-tmp-1551868453.52-32552275530461/ /home/apim_ansible/.ansible/tmp/ansible-tmp-1551868453.52-32552275530461/AnsiballZ_command.py && sleep 0'"]
<docker_test> EXEC ['/bin/docker', 'exec', '-u', u'apim_ansible', '-i', u'docker_test', u'/bin/sh', '-c', u'/bin/sh -c \'sudo -H -S  -p "[sudo via ansible, key=wwoieobzyhnbwezxmllsrzbwhcdwuyxd] password: " -u root /bin/sh -c \'"\'"\'echo BECOME-SUCCESS-wwoieobzyhnbwezxmllsrzbwhcdwuyxd; /usr/bin/python /home/apim_ansible/.ansible/tmp/ansible-tmp-1551868453.52-32552275530461/AnsiballZ_command.py\'"\'"\' && sleep 0\'']
<docker_test> EXEC ['/bin/docker', 'exec', '-u', u'apim_ansible', '-i', u'docker_test', u'/bin/sh', '-c', u"/bin/sh -c 'rm -f -r /home/apim_ansible/.ansible/tmp/ansible-tmp-1551868453.52-32552275530461/ > /dev/null 2>&1 && sleep 0'"]
fatal: [docker_test]: FAILED! => {
    "changed": false,
    "module_stderr": "\nWe trust you have received the usual lecture from the local System\nAdministrator. It usually boils down to these three things:\n\n    #1) Respect the privacy of others.\n    #2) Think before you type.\n    #3) With great power comes great responsibility.\n\n[sudo via ansible, key=wwoieobzyhnbwezxmllsrzbwhcdwuyxd] password: \n",
    "module_stdout": "",
    "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
    "rc": 1
}
...ignoring

TASK [debug] ********************************************************************************************************************************************************************************************************************************
task path: /net/fe0vmc1258/fs0/develop/htj8fe/ops-tools/ansible_scripts/test.yml:12
ok: [docker_test] => {
    "who": {
        "changed": false,
        "failed": true,
        "module_stderr": "\nWe trust you have received the usual lecture from the local System\nAdministrator. It usually boils down to these three things:\n\n    #1) Respect the privacy of others.\n    #2) Think before you type.\n    #3) With great power comes great responsibility.\n\n[sudo via ansible, key=wwoieobzyhnbwezxmllsrzbwhcdwuyxd] password: \n",
        "module_stdout": "",
        "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
        "rc": 1
    }
}

TASK [try become method su] *****************************************************************************************************************************************************************************************************************
task path: /net/fe0vmc1258/fs0/develop/htj8fe/ops-tools/ansible_scripts/test.yml:15
<docker_test> ESTABLISH DOCKER CONNECTION FOR USER: apim_ansible
<docker_test> EXEC ['/bin/docker', 'exec', '-u', u'apim_ansible', '-i', u'docker_test', u'/bin/sh', '-c', u"/bin/sh -c 'echo ~apim_ansible && sleep 0'"]
<docker_test> EXEC ['/bin/docker', 'exec', '-u', u'apim_ansible', '-i', u'docker_test', u'/bin/sh', '-c', u'/bin/sh -c \'( umask 77 && mkdir -p "` echo /home/apim_ansible/.ansible/tmp/ansible-tmp-1551868454.85-121843071372604 `" && echo ansible-tmp-1551868454.85-121843071372604="` echo /home/apim_ansible/.ansible/tmp/ansible-tmp-1551868454.85-121843071372604 `" ) && sleep 0\'']
Using module file /usr/lib/python2.7/site-packages/ansible/modules/commands/command.py
<docker_test> PUT /local/home/apim_ansible/.ansible/tmp/ansible-local-60877fNyu7d/tmpAiJe6X TO /home/apim_ansible/.ansible/tmp/ansible-tmp-1551868454.85-121843071372604/AnsiballZ_command.py
<docker_test> EXEC ['/bin/docker', 'exec', '-u', u'apim_ansible', '-i', u'docker_test', u'/bin/sh', '-c', u"/bin/sh -c 'chmod u+x /home/apim_ansible/.ansible/tmp/ansible-tmp-1551868454.85-121843071372604/ /home/apim_ansible/.ansible/tmp/ansible-tmp-1551868454.85-121843071372604/AnsiballZ_command.py && sleep 0'"]
<docker_test> EXEC ['/bin/docker', 'exec', '-u', u'apim_ansible', '-i', u'docker_test', u'/bin/sh', '-c', u'/bin/sh -c \'su  root -c \'"\'"\'/bin/sh -c \'"\'"\'"\'"\'"\'"\'"\'"\'echo BECOME-SUCCESS-gtcxbtqkefmwzfjnrjhsefzmqbwlblyx; /usr/bin/python /home/apim_ansible/.ansible/tmp/ansible-tmp-1551868454.85-121843071372604/AnsiballZ_command.py\'"\'"\'"\'"\'"\'"\'"\'"\'\'"\'"\' && sleep 0\'']
<docker_test> EXEC ['/bin/docker', 'exec', '-u', u'apim_ansible', '-i', u'docker_test', u'/bin/sh', '-c', u"/bin/sh -c 'rm -f -r /home/apim_ansible/.ansible/tmp/ansible-tmp-1551868454.85-121843071372604/ > /dev/null 2>&1 && sleep 0'"]
fatal: [docker_test]: FAILED! => {
    "changed": false,
    "module_stderr": "Password: su: Authentication failure\n",
    "module_stdout": "",
    "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
    "rc": 1
}
...ignoring

TASK [debug] ********************************************************************************************************************************************************************************************************************************
task path: /net/fe0vmc1258/fs0/develop/htj8fe/ops-tools/ansible_scripts/test.yml:22
ok: [docker_test] => {
    "who": {
        "changed": false,
        "failed": true,
        "module_stderr": "Password: su: Authentication failure\n",
        "module_stdout": "",
        "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
        "rc": 1
    }
}

TASK [try become method sudo /bin/su] *******************************************************************************************************************************************************************************************************
task path: /net/fe0vmc1258/fs0/develop/htj8fe/ops-tools/ansible_scripts/test.yml:25
fatal: [docker_test]: FAILED! => {
    "msg": "Internal Error: this connection module does not support running commands via sudo /bin/su -"
}
...ignoring

TASK [debug] ********************************************************************************************************************************************************************************************************************************
task path: /net/fe0vmc1258/fs0/develop/htj8fe/ops-tools/ansible_scripts/test.yml:32
ok: [docker_test] => {
    "who": {
        "failed": true,
        "msg": "Internal Error: this connection module does not support running commands via sudo /bin/su -"
    }
}

TASK [fail] *********************************************************************************************************************************************************************************************************************************
task path: /net/fe0vmc1258/fs0/develop/htj8fe/ops-tools/ansible_scripts/test.yml:35
fatal: [docker_test]: FAILED! => {
    "changed": false,
    "msg": "Failed as requested from task"
}
        to retry, use: --limit @/net/fe0vmc1258/fs0/develop/htj8fe/ops-tools/ansible_scripts/test.retry

PLAY RECAP **********************************************************************************************************************************************************************************************************************************
docker_test                : ok=7    changed=0    unreachable=0    failed=1
@jojo221119 jojo221119 added the bug This issue/PR relates to a bug. label Mar 6, 2019
@ansibot
Copy link
Contributor

ansibot commented Mar 6, 2019

Files identified in the description:

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

@ansibot
Copy link
Contributor

ansibot commented Mar 6, 2019

cc @DBendit @WojciechowskiPiotr @akshay196 @danihodovic @dariko @felixfontein @jwitko @kassiansun @tbouvet
click here for bot help

@ansibot ansibot added affects_2.7 This issue/PR affects Ansible v2.7 cloud docker support:community This issue/PR relates to code supported by the Ansible community. labels Mar 6, 2019
@WojciechowskiPiotr
Copy link
Contributor

Hi,

Looking at the plugin code I would say that privilege escalation is not supported by the plugin. It inspects the container and the default exec user is root, unless it was changed in the Dockerfile with USER. The sudoable flag for the plugin has been set to False by the plugin developers. I don't know the reason but I may guess it affected the way pluging returns the data.

The only quick solution to test I may think of is giving the USER permission to execute sudo without password, but that will lower the container security.

In my opinion this is feature request not a bug.

@jojo221119
Copy link
Author

Hi,

as I detected it while looking for possibilities to run the playbooks on a test environment the option with password-less sudo should be sufficient.

Besides from that how can this be filed as a feature request?

@WojciechowskiPiotr
Copy link
Contributor

+label feature
-label bug

@WojciechowskiPiotr
Copy link
Contributor

@objectified @lorin can you share more details on supporting privilege escalation in docker connection plugin?

@lorin
Copy link
Contributor

lorin commented Mar 6, 2019

@WojciechowskiPiotr Alas, I have not worked on this code base in years, I'm not sure who the current maintainer is at this point for the docker connection plugin.

@felixfontein
Copy link
Contributor

@jojo221119 Why don't you use ansible_docker_user/ansible_user to execute something as another user in the container? That's an option of the docker connection plugin. You might be able to define it per-task (using vars:). Also, you can change the type of this issue by editing the first post and changing "Bug Report" to "Feature Request". I think that does the trick.

@lorin maintainership is essentially $team_docker, but I think nobody of us has much experience with this plugin, so it's not really maintained at the moment.

@sivel sivel added the needs_triage Needs a first human triage before being processed. label Mar 6, 2019
@ansibot ansibot removed the needs_triage Needs a first human triage before being processed. label Mar 6, 2019
@jojo221119
Copy link
Author

@felixfontein The playbooks I develop are aimed to run against real servers using the SSH connection type.
I'm currently looking for an option to test the playbooks and stumbled upon molecule which uses the docker connection to test roles so I thought I could use a similar approach to test playbooks.

@ansibot ansibot added the feature This issue/PR relates to a feature request. label Mar 7, 2019
@felixfontein
Copy link
Contributor

@jojo221119 yep, in that case, become support would definitely be more useful :)

@mkrizek mkrizek removed the bug This issue/PR relates to a bug. label Mar 7, 2019
@larsks
Copy link
Contributor

larsks commented Apr 26, 2019

I just ran into this, trying to do the same thing (using containers for testing out playbooks that will ultimately run against real servers). If the plugin doesn't support privilege escalation, can we modify it to produce a more obvious error message?

@larsks larsks mentioned this issue Apr 26, 2019
Merged
larsks added a commit to larsks/ansible that referenced this issue May 5, 2019
@larsks
connection/docker: add privilege escalation support
5f0b159 
As described in ansible#53385 (and ansible#31759), the docker connection driver did
not support privilege escalation. This commit is a shameless
cut-and-paste of the privilege escalation support from the `local`
connection plugin into the `docker` plugin.

Closes: ansible#53385
larsks added a commit to larsks/ansible that referenced this issue May 5, 2019
@larsks
connection/docker: add privilege escalation support
f2a3a4d 
As described in ansible#53385 (and ansible#31759), the docker connection driver did
not support privilege escalation. This commit is a shameless
cut-and-paste of the privilege escalation support from the `local`
connection plugin into the `docker` plugin.

This is a backport to stable-2.7 of ansible#55816.
felixfontein pushed a commit to felixfontein/ansible that referenced this issue May 9, 2019
@larsks @felixfontein
connection/docker: add privilege escalation support (ansible#55816)
0c1c64f 
As described in ansible#53385 (and ansible#31759), the docker connection driver did
not support privilege escalation. This commit is a shameless
cut-and-paste of the privilege escalation support from the `local`
connection plugin into the `docker` plugin.

Closes: ansible#53385
(cherry picked from commit 61e476b)
@ansibot ansibot closed this as completed in 61e476b May 9, 2019
larsks added a commit to larsks/ansible that referenced this issue May 10, 2019
@larsks
connection/docker: add privilege escalation support
b591de7 
As described in ansible#53385 (and ansible#31759), the docker connection driver did
not support privilege escalation. This commit is a shameless
cut-and-paste of the privilege escalation support from the `local`
connection plugin into the `docker` plugin.

This is a backport to stable-2.7 of ansible#55816.
abadger pushed a commit that referenced this issue May 21, 2019
@felixfontein @abadger
[WIP] [2.8] connection/docker: add support for privilege escalation (#…
3fbe6e9 
…56277)

* connection/docker: add privilege escalation support (#55816)

As described in #53385 (and #31759), the docker connection driver did
not support privilege escalation. This commit is a shameless
cut-and-paste of the privilege escalation support from the `local`
connection plugin into the `docker` plugin.

Closes: #53385
(cherry picked from commit 61e476b)

* docker connection plugin: make privilege escalation code more similar to local.py (#56288)

* Make more similar to local.py

* Fix typo.

(cherry picked from commit 708bda0)
abadger pushed a commit that referenced this issue May 21, 2019
@larsks @abadger
connection/docker: add privilege escalation support
a8e14cf 
As described in #53385 (and #31759), the docker connection driver did
not support privilege escalation. This commit is a shameless
cut-and-paste of the privilege escalation support from the `local`
connection plugin into the `docker` plugin.

This is a backport to stable-2.7 of #55816.
@ansible ansible locked and limited conversation to collaborators Aug 5, 2019
bcoca pushed a commit to bcoca/ansible that referenced this issue Feb 21, 2020
@larsks @bcoca
connection/docker: add privilege escalation support (ansible#55816)
d700559 
As described in ansible#53385 (and ansible#31759), the docker connection driver did
not support privilege escalation. This commit is a shameless
cut-and-paste of the privilege escalation support from the `local`
connection plugin into the `docker` plugin.

Closes: ansible#53385
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
affects_2.7 This issue/PR affects Ansible v2.7 cloud docker feature This issue/PR relates to a feature request. support:community This issue/PR relates to code supported by the Ansible community.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@sivel @larsks @lorin @mkrizek @felixfontein @ansibot @jojo221119 @WojciechowskiPiotr