Skip to content

Instantly share code, notes, and snippets.

(Note: I wrote this up quickly and without a lot of research, so there are probably inaccuracies. However, I wanted to put this out there in case it helps someone else hitting this issue. Github gists like this unfortunately don't have comment notifications, so if you want me to send me a comment, use my email [email protected] and not the comments.)

Problem: Can't use sudo command-limiting in Ansible

The ability to limit sudo users to only be able to execute certain commands doesn't work with Ansible (without a workaround).

This isn't a problem if you're running Ansible as a super-user like root, but if you are allowing others to run Ansible on your systems in order to do things like application deploys, then you need a way to limit their access to the system for basic security.

For example, a line in /etc/sudoers like this:

@kabturek
kabturek / keybase.md
Last active October 14, 2019 08:43
keybase.md

Keybase proof

I hereby claim:

  • I am kabturek on github.
  • I am kabturek (https://keybase.io/kabturek) on keybase.
  • I have a public key whose fingerprint is 8F0E 4930 EA6E 213F 1689 2069 FE86 3062 AF04 ED24

To claim this, I am signing this object:

def setup_env(env, environments)
Rails.stub(:env).and_return(env)
Rails.env.stub("#{env}?".to_sym).and_return(true)
environments.map { |e| Rails.env.stub("#{e}?".to_sym).and_return(false) }
end
def stub_env(new_environment, environments = ["test", "development", "staging", "production"], &block)
original_environment = Rails.env
environments.delete(new_environment)
:ruby
puts catalog_items.map { |catalog_item|
{ 'carpet_detail' => catalog_item.carpet_detail,
'carpet_style_colors_manufacturer_name' => catalog_item.carpet_style_colors_manufacturer_name,
'carpet_style_name' => catalog_item.carpet_style_name,
'scene7_source' => scene7_source(catalog_item.carpet_style_colors_scene7_image_id),
'scene7_source_product_large' => scene7_source(catalog_item.carpet_style_colors_scene7_image_id, 'product-large'),
'scene7_source_product_small' => scene7_source(catalog_item.carpet_style_colors_scene7_image_id, 'product-small'),
'scene7_source_room_scene' => scene7_source(catalog_item.carpet_scene7_room_scene_image_id) }
}.to_json
@kabturek
kabturek / check_yml_files.rb
Created July 18, 2012 08:13
Simple script to check yml files
#!/usr/bin/env ruby
# encoding: utf-8
require 'yaml'
YAML::ENGINE.yamler = 'psych' # or 'syck' for old parser
d = Dir["./**/*.yml"]
d.each do |file|
begin
puts "checking : #{file}"
@kabturek
kabturek / google_bot_aware.rb
Created May 18, 2012 11:11 — forked from rchampourlier/google_bot_aware.rb
Rack middleware to make Rails deal correctly with GoogleBot's '*/*;q=0.6' Accept header
# This Rack middleware helps solving the issue with some Rails versions which do not accept
# a '*/*;q=0.6' and their variants 'Accept' request header. This header is particularly used
# by Google Bot, and if Rails doesn't like it, it will return a 500 or 406 error to Google Bot,
# which is not the best way to get your pages indexed.
#
# References:
# - http://stackoverflow.com/questions/8881756/googlebot-receiving-missing-template-error-for-an-existing-template
# - https://github.com/rails/rails/issues/4127
#
class GoogleBotAware
@kabturek
kabturek / .osx
Created April 17, 2012 12:45
OSX configuration
# Disable menu bar transparency
defaults write NSGlobalDomain AppleEnableMenuBarTransparency -bool false
# Show remaining battery time; hide percentage
defaults write com.apple.menuextra.battery ShowPercent -string "NO"
defaults write com.apple.menuextra.battery ShowTime -string "YES"
# Always show scrollbars
defaults write NSGlobalDomain AppleShowScrollBars -string "Always"
@kabturek
kabturek / .gntrc
Created November 22, 2011 12:13
finch config for irssi layout ~/.gntrc
[general]
shadow = 0
# There is experimental mouse support
mouse = 0
# To use some custom window-manager
wm = /usr/lib/gnt/irssi.so
@kabturek
kabturek / run_tags.rb
Created November 16, 2011 21:55 — forked from tobias/run_tags.rb
A script for generating TAGS from a git hook.
#!/usr/bin/env ruby
#-*-ruby-*-
# A script to run ctags on all .rb files in a project. Can be run on
# the current dir, called from a git callback, or install itself as a
# git post-merge and post-commit callback.
CTAGS = '/opt/local/bin/ctags'
HOOKS = %w{ post-merge post-commit post-checkout }
HOOKS_DIR = '.git/hooks'
@kabturek
kabturek / .bashrc
Created September 21, 2011 20:17
Getting vim/gvim to work with other ruby versions than the one that is compiled with. (when using it with vim from ubuntu repos - compiled againt ruby1.8 with rvm using 1.9.2)
gvim()
{
(unset GEM_PATH GEM_HOME; command gvim "$@")
}
vim()
{
(unset GEM_PATH GEM_HOME; command vim "$@")
}