如何在查找时进行特权升级(ini)
how to do privilege escalation on lookup(ini)
我的test.yml
1 - name: Test ini
2 hosts: localhost
3 connection: local
4 become: true
5
6 tasks:
7
8 - name: Verifying /etc/heat/heat.conf Configuration
9 become_user: root
10 become_method: sudo
11 fail: msg="Unable to set in /etc/heat/heat.conf"
12 when: "lookup('ini', 'max_resources_per_stack section=DEFAULT file=/etc/heat/heat.conf') != '-1'"
错误
$ ansible-playbook test.yml
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'
PLAY [Test ini] ***********************************************************************************************************************
TASK [Gathering Facts] ****************************************************************************************************************
ok: [localhost]
TASK [Verifying /etc/heat/heat.conf Configuration] ************************************************************************************
fatal: [localhost]: FAILED! => {"msg": "The conditional check 'lookup('ini', 'max_resources_per_stack section=DEFAULT file=/etc/heat/heat.conf') != '-1'' failed. The error was: An unhandled exception occurred while running the lookup plugin 'ini'. Error was a <class 'ansible.errors.AnsibleParserError'>, original message: an error occurred while trying to read the file '/etc/heat/heat.conf': [Errno 13] Permission denied: '/etc/heat/heat.conf'\n\nThe error appears to have been in '/home/stack/test.yml': line 8, column 5, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n - name: Verifying /etc/heat/heat.conf Configuration\n ^ here\n"}
to retry, use: --limit @/home/stack/test.retry
PLAY RECAP ****************************************************************************************************************************
localhost : ok=1 changed=0 unreachable=0 failed=1
我不知道为什么它不起作用? ini 文件修改正在使用 ini_file,而无需指定 become_user 或 become_user。但它不适用于 lookup?即使我也能在 shell 中 运行 crudini --get 命令。
$ ls -la /etc/heat/heat.conf
-rw-r-----. 1 root heat 85196 May 29 01:39 /etc/heat/heat.conf
更新
剧本只有在我 运行 剧本与 sudo 像 sudo ansible-playbook ini_test.yml
时才有效
更新2
ansible 2.6.11
是bug。
带文件/root/test
> ll /root/test
-rw-r----- 1 root root 30 May 29 15:09 /root/test
剧本
- hosts: localhost
become_user: root
become_method: sudo
become: yes
tasks:
- command: whoami
register: result
- debug:
var: result.stdout
- name: read the file
debug:
msg: "{{ lookup('file', '/root/test') }}"
给出(删节):
ok: [localhost] => {
"result.stdout": "root"
}
TASK [read the file]
fatal: [localhost]: FAILED! => {"msg": "An unhandled exception occurred while running the lookup plugin 'file'. Error was a <class 'ansible.errors.AnsibleError'>, original message: could not locate file in lookup: /root/test"}
全部启用阅读
> ll /root/test
-rw-r--r-- 1 root root 30 May 29 15:09 /root/test
剧本按预期工作并给出(删节):
TASK [read the file]
ok: [localhost] => {
"msg": "Wed May 29 15:09:43 CEST 2019"
}
备案。 How should you answer questions that lead to bug reports?.
我的test.yml
1 - name: Test ini
2 hosts: localhost
3 connection: local
4 become: true
5
6 tasks:
7
8 - name: Verifying /etc/heat/heat.conf Configuration
9 become_user: root
10 become_method: sudo
11 fail: msg="Unable to set in /etc/heat/heat.conf"
12 when: "lookup('ini', 'max_resources_per_stack section=DEFAULT file=/etc/heat/heat.conf') != '-1'"
错误
$ ansible-playbook test.yml
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'
PLAY [Test ini] ***********************************************************************************************************************
TASK [Gathering Facts] ****************************************************************************************************************
ok: [localhost]
TASK [Verifying /etc/heat/heat.conf Configuration] ************************************************************************************
fatal: [localhost]: FAILED! => {"msg": "The conditional check 'lookup('ini', 'max_resources_per_stack section=DEFAULT file=/etc/heat/heat.conf') != '-1'' failed. The error was: An unhandled exception occurred while running the lookup plugin 'ini'. Error was a <class 'ansible.errors.AnsibleParserError'>, original message: an error occurred while trying to read the file '/etc/heat/heat.conf': [Errno 13] Permission denied: '/etc/heat/heat.conf'\n\nThe error appears to have been in '/home/stack/test.yml': line 8, column 5, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n - name: Verifying /etc/heat/heat.conf Configuration\n ^ here\n"}
to retry, use: --limit @/home/stack/test.retry
PLAY RECAP ****************************************************************************************************************************
localhost : ok=1 changed=0 unreachable=0 failed=1
我不知道为什么它不起作用? ini 文件修改正在使用 ini_file,而无需指定 become_user 或 become_user。但它不适用于 lookup?即使我也能在 shell 中 运行 crudini --get 命令。
$ ls -la /etc/heat/heat.conf
-rw-r-----. 1 root heat 85196 May 29 01:39 /etc/heat/heat.conf
更新
剧本只有在我 运行 剧本与 sudo 像 sudo ansible-playbook ini_test.yml
更新2
ansible 2.6.11
是bug。
带文件/root/test
> ll /root/test
-rw-r----- 1 root root 30 May 29 15:09 /root/test
剧本
- hosts: localhost
become_user: root
become_method: sudo
become: yes
tasks:
- command: whoami
register: result
- debug:
var: result.stdout
- name: read the file
debug:
msg: "{{ lookup('file', '/root/test') }}"
给出(删节):
ok: [localhost] => {
"result.stdout": "root"
}
TASK [read the file]
fatal: [localhost]: FAILED! => {"msg": "An unhandled exception occurred while running the lookup plugin 'file'. Error was a <class 'ansible.errors.AnsibleError'>, original message: could not locate file in lookup: /root/test"}
全部启用阅读
> ll /root/test
-rw-r--r-- 1 root root 30 May 29 15:09 /root/test
剧本按预期工作并给出(删节):
TASK [read the file]
ok: [localhost] => {
"msg": "Wed May 29 15:09:43 CEST 2019"
}
备案。 How should you answer questions that lead to bug reports?.