Use pam_env for su commands on Centos-9

See https://access.redhat.com/errata/RHBA-2022:4082 Change-Id: Ibe4ab810ba48c9735af187d39fc34a7451c12d8a
2022-05-23 16:12:12 +01:00 · 2022-05-23 16:12:12 +01:00 · cf358f169d
parent ff61081089
commit cf358f169d
1 changed files with 15 additions and 7 deletions
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -52,13 +52,21 @@
  tags:
    - openstack_hosts-config

- name: Ensure environement is applied during sudo
-  lineinfile:
-    path: /etc/pam.d/sudo
-    line: "session    required   pam_env.so readenv=1 user_readenv=0"
-    regexp: 'session\s+required\s+pam_env\.so'
-    insertbefore: '^@include'
-  when: ansible_facts['distribution'] | lower == 'debian'
+# NOTE(jrosser) Remove this task when https://access.redhat.com/errata/RHBA-2022:4082
+# has a fix merged to Centos-9 as well as RHEL.
+- name: Ensure environement is applied during su
+  community.general.pamd:
+    name: su
+    type: auth
+    control: sufficient
+    module_path: pam_rootok.so
+    new_type: auth
+    new_control: required
+    new_module_path: pam_env.so
+    state: before
+  when:
+    - ansible_facts['distribution'] == 'CentOS'
+    - ansible_facts['distribution_version'] == '9'

 - name: Create systemd global directory
  file: