Ansible & rbash

Álex Sáez asked:

I want to manage a bunch of devices running /bin/rbash as the default shell with Ansible.

The problem is that Ansible always try to execute a list of commands that rbash doesn’t like at all:

umask 77 && mkdir -p "` echo ./ansible-tmp-1460362654.19-62671997084808 `" && echo "` echo ./ansible-tmp-1460362654.19-62671997084808 `"

Any ideas how can I avoid this commands?

EDIT: To clarify: I want to change the shell Ansible uses, and there is only one user available.

My answer:


Hmm. I think you can get around this with ansible’s raw module.

Remember that while rbash is a restricted shell, it’s entirely possible to start an unrestricted subshell; it’s meant more to prevent accidents than to provide security.

So this is what I would do. I’ve tested this and confirmed it successfully changes a restricted shell. Note that it has to prompt for a password, because chsh prompts for a password and this isn’t avoidable without root access.

---
- hosts: all
  gather_facts: False
  remote_user: username
  tasks:
    - name: change shell
      raw: "bash -c 'chsh -s /bin/bash' <<< '{{chsh_password}}' "
  vars_prompt:
    - name: "chsh_password"
      prompt: "Password"

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.