Ansible: how to clone a repository as other user

Question

I'm trying to write deployments rules with Ansible. Some of the steps are:

Update and Upgrade Server
Create a user called harry
Add Public and Private keys to harry
Clone a Git Repository from bitbucket.org

I want to clone the repository as harry user in his home directory (that's why I'm copying it's public and private keys). The issue is that it is not possible to specifiy a user the git clone must be executed as. So Ansible try to clone the repository as root and failed because he doesn't have rights to access the repository.

How do you solve this ?

score 30 · Answer 1 · edited Aug 20 '21 at 20:33

30

As per Ansible's documentation on Privilege Escalation, Ansible has limitations on becoming an unprivileged user as it exposes a security hole to Harry.

Using the Ansible git module, you can specify to use Harry's private key from the privileged Ansible user using the key_file parameter, and using become_user allows the cloned files to be given ownership to Harry. For example:

- name: Clone bitbucket repo
  git:
    repo: git@bitbucket.org:your-repo.git
    dest: /var/www/
    version: master
    accept_hostkey: yes
    key_file: /home/harry/.ssh/id_rsa
  become: yes
  become_user: harry

edited Aug 20 '21 at 20:33

Jens Timmerman

9,316
1
42
48

answered Sep 27 '16 at 23:32

Willem van Ketwich

5,666
7
49
57

8

adding `become: yes` is important, because if you are root, then the cloned directory will be root as well, even if you `become_user: harry` – Daniel F Aug 19 '18 at 23:40

score 8 · Answer 2 · answered Jul 26 '15 at 19:00

8

You can specify a user for every task in your playbook:

- name: Clone bitbucket repo
  git: ...
  become: yes
  become_user: harry

For more details see Ansible Privilege Escalation.

A more secure alternative to placing your private key on a remote server is to enable ssh key forwarding in the sshd config on the server and your ssh config locally. The key then never leaves your local box.

answered Jul 26 '15 at 19:00

udondan

57,263
20
190
175

3

I have ssh forwarding, and it works with root. But it does not seems to work with become_user – nha Jun 10 '16 at 16:44
1

SSH_AUTH_SOCK gets lost with become_user. Key forwarding can't work unless it's preserved. Maybe you can add it with become_flags. – Benjamin Atkin Sep 13 '16 at 23:35
1

As @BenAtkin mentioned, SSH_AUTH_SOCK gets lost, but even if you preserve it in /etc/sudoers file, you also need to give `harry` permissions to access the socket file. http://serverfault.com/questions/107187/ssh-agent-forwarding-and-sudo-to-another-user – krzychu Jan 12 '17 at 15:04

George Mogilevsky · Answer 3 · 2018-08-17T03:55:29.970

yes, you can make it work with ssh forwarding

as long as the user that you become in the git clone is part of sudoers, so he doesn't need to use sudo to execute git

So, in addition to all the configs required for key forwarding, there is a trick that even mentioned in Ansible docs. High level process is as follows: enable agent forwarding in controlling machine enable accepting agent key in target machine create a user and add him (or her:) into sudoers group use ansible's git module to clone the repo, become: your-sudoer-user

Also, to avoid any permissions denied on the host, just clone it into ~/something You can always copy or symlink to anywhere you want

here is the link to where the playbook part to add user to sudoers is shown, it is basically a copy-paste: Ansible: create a user with sudo privileges

works like a charm

Also, make sure you add your SSH public key in the general settings of BitBucket, not in the per project. Otherwise your ssh key will only work on one specific repo. But if you add the ssh key in the bitbucket general settings, it will work on all your repos

below is the code that makes it work, the suduer user is "deployer"

# the tasks to CREATE A SUDOER GROUP


- name: Make sure we have a 'wheel' group
    group:
      name: wheel
      state: present
    become: yes

  - name: Allow 'wheel' group to have passwordless sudo
    lineinfile:
      dest: /etc/sudoers
      state: present
      regexp: '^%wheel'
      line: '%wheel ALL=(ALL) NOPASSWD: ALL'
      validate: 'visudo -cf %s'
    become: yes

  - name: Add sudoers users to wheel group
    user: name=deployer groups=wheel append=yes state=present createhome=yes
    become: yes


 # tasks to ADD REPO with Ansible's GIT MODULE
  - name: Add  Git Repo - BitBucket 
    git:
      repo: 'git@bitbucket.org:<your_username>/<your_repo>.git'
      dest: ~/code  # note this destination, you will avoid permissions issues
      accept_hostkey: yes # btw, this is for the ssh key forwarding
      recursive: no
    become: deployer # this guy (or gal) is a sudoer by now

# Extra "hack" to change permissions on files AND folders in one go, it has to do with the Capital X and what it applies to and what not. Also picked up from another stackoverflow

- name: Set perms on new Code repo to deployer:deployer dirs-0755 and files-0644
    file:
      path: ~/code
      state: directory
      owner: deployer 
      group: deployer 
      mode: u=rwX,g=rX,o=rX
      recurse: yes
    become: yes

SSH_AUTH_SOCK We need to give deployer permissions to access the socket file https://serverfault.com/a/448972/253195 — Mikl, May 15 '20 at 17:50

score 0 · Answer 4 · edited Jan 10 '19 at 09:59

Yes with ssh forwarding it works. If your playbook has “become: yes” turned on globally, make sure you turn that off for the git task. The reason that it doesn’t work when you have “become: yes” is because root privilege escalation destroys ssh forwarding. I don’t think you need to become a sudoer. Because if your Ansible controlling machine is authenticated with Bitbucket using ssh key (you add ssh key into the repo) then this authentication is passed through ssh forwarding. You can test it by ssh into your target and issuing “ssh -T git@bitbucket.org” you will see in the output that the target is accepted by Bitbucket as the user of the Ansible controlling machine. So simply execute the task with explicit “become: no”. I agree about cloning into ~/something on the target. Otherwise it will cause issues of permissions. [Edit: one more thing to make it work - ⁃ Repo URL should be the ssh one not https one, without ssh:// (despite what is written in the Ansible Manual examples)] As far as the security, as mentioned above, ssh forwarding is the best.

How do you turn become: yes off globally ahead of a single task and then turn back on for all subsequent tasks? — Vishal, Aug 14 '22 at 04:35

score 0 · Answer 5 · answered May 15 '20 at 18:02

We can simply make user harry (www-data in my example) accessible by ssh with the same authorized_keys as the root. It will not be security problem, if you can connect to root you can do more anyway then if you connect as harry.

remote_user: root
tasks:
  - name: Create /var/www/.ssh
    file:
      state: directory
      owner: www-data
      group: www-data
      path: /var/www/.ssh
      mode: 0700

  - name: Copy authorized_keys to www-data
    copy:
      remote_src: yes
      src: ~/.ssh/authorized_keys
      dest: /var/www/.ssh/
      mode: 0400
      owner: www-data

  - name: Ensure www-data has shell
    lineinfile:
      path: /etc/passwd
      regexp: '^www-data:'
      line: 'www-data:x:33:33:www-data:/var/www:/bin/bash'

  - name: chown -R www-data /var/www
    file:
      owner: www-data
      path: /var/www
      recurse: yes

  - name: Git checkout application
    git:
      repo: git@gitlab.com:harry/project.git
      dest: "/var/www/project_root_dir"
      accept_hostkey: yes
    remote_user: www-data

Ansible: how to clone a repository as other user

5 Answers5

Linked