fix(ipmi_exporter): Fix privilege escalation when running in local mode

Signed-off-by: Kaloyan Kotlarski <[email protected]>

Author: netcho

roles/ipmi_exporter/defaults/main.yml

@@ -13,6 +13,15 @@ ipmi_exporter_modules:
       - chassis
       - sel
 
+ipmi_exporter_sudo_commands:
+  - /usr/sbin/ipmimonitoring
+  - /usr/sbin/ipmi-sensors
+  - /usr/sbin/ipmi-dcmi
+  - /usr/sbin/ipmi-raw
+  - /usr/sbin/bmc-info
+  - /usr/sbin/ipmi-chassis
+  - /usr/sbin/ipmi-sel
+
 ipmi_exporter_web_listen_address: "0.0.0.0:9290"
 
 ipmi_exporter_tls_server_config: {}

roles/ipmi_exporter/tasks/configure.yml

@@ -30,3 +30,14 @@
     - ipmi_exporter
     - configure
     - ipmi_exporter_configure
+
+- name: Create sudoers file to allow passwordless IPMI commands
+  ansible.builtin.copy:
+    dest: "/etc/sudoers.d/{{ ipmi_exporter_system_user }}"
+    content: |
+      {{ ipmi_exporter_system_user }} ALL=(ALL) NOPASSWD: {{ ipmi_exporter_sudo_commands | join(', ') }}
+    owner: root
+    group: root
+    mode: '0440'
+  become: true
+  when: ipmi_exporter_system_user is defined

roles/ipmi_exporter/templates/ipmi_exporter.service.j2

@@ -23,7 +23,6 @@ RestartSec=1
 StartLimitInterval=0
 
 ProtectHome=yes
-NoNewPrivileges=yes
 
 {% if (ansible_facts.packages.systemd | first).version is version('232', '>=') %}
 ProtectSystem=strict