Install Cask Apps with sudo requirement

[mindrunner]

Some Cask Applications require me to authenticate with my sudo password. The ansible provisioning just hangs then forever. Is this known/expected behaviour? Putting the user into sudoers with NOPASSWORD option works around the problem. Can we maybe have an option to pass the sudoers password to homebrew_cask step?

[geerlingguy]

Hmm, good point. I haven't run into this personally, but can you list a few with this requirement for testing?

[mindrunner]

One is for example "vmware-fusion". Probably "virtualbox" as well. Can give more examples later if you need.

[elliotweiser]

@mindrunner IMO, the best solution is to ensure that the homebrew user is a member of the wheel group, which is given password-less sudo by default.

I just tested this role using following casks in a vagrant environment:

• vmware-fusion
• virtualbox
• java

There were no prompts for the sudo password and each of the tools appear to have been successfully installed.

homebrew:~ vagrant$ vmware-vmx -version
_RegisterApplication(), FAILED TO establish the default connection to the WindowServer, _CGSDefaultConnection() is NULL.

VMware Fusion Information:
VMware Fusion 8.5.8 build-5824040 Release

homebrew:~ vagrant$ vbox-img --version
5.1.22r115126
homebrew:~ vagrant$ java -version
java version "1.8.0_131"
Java(TM) SE Runtime Environment (build 1.8.0_131-b11)
Java HotSpot(TM) 64-Bit Server VM (build 25.131-b11, mixed mode)
homebrew:~ vagrant$

I think the simplest path forward is to just add the user to the wheel group. Thoughts?

[mindrunner]

Hi @geerlingguy. Thanks for getting back to me and trying to reproduce. However, I do not really agree with your observations. I don't think that default sudo setup on macOS allows passwordless sudo. The wheel-group-acces-line in sudoers is commented by default. Maybe you changed it locally to have passwordless sudo?

On my CI-Buildnodes, which are VMs, I have passwordless sudo and everything works fine. However, on the physical Macs, I cannot go for that option for security reasons.

[elliotweiser]

I stand corrected-- The wheel group is not given password-less sudo by default since it is commented out in the /etc/sudoers file. Also, if there's a security concern, then that's understandable. Let me see if passing the sudo password is feasible via the CLI or better yet the relevant Ansible module...

[daften]

@elliotweiser I'm running into this too, did you find anything?

[elliotweiser]

@mindrunner (cc @daften) Sorry for dropping this on the floor.

I'm preparing a write-up for this, exploring SUDO_ASKPASS (see man brew-cask) and also some hacks for updating the sudo credentials cache without exposing the password.

I've explored both approaches with some success, but so far, each comes with a trade-off. Still looking into it.

References:
Homebrew/homebrew-cask#5667
Homebrew/homebrew-cask#19180
https://github.com/vitorgalvao/dotfiles/blob/fc63d06f6ce498d4c24a20d4a8ed3ba22450af7a/scripts/00_setup.sh#L5L7

[mindrunner]

Sweet! Thanks for the feedback. Anything I can help with?

[JulianArevalo]

I have similar issue, see geerlingguy/mac-dev-playbook#53
I have made a workaround based on $SUDO_ASKPASS as mentioned by @elliotweiser that is working but I am not sure this is very clean.
Do you think something like this would be cleaner:

tasks:
  - name: Workaround to have sudo rights until timestamp_timout is raised
     command: true
     become: yes

Actually, just discovered that with homebrew 1.3.5, there is no issue anymore! I can run this role to install java or pdftotext cask, so it seems something has changed in homebrew, not sure in which version though.

[elliotweiser]

Actually, just discovered that with homebrew 1.3.5, there is no issue anymore!

That's not actually true. Make sure your user account doesn't have NOPASSWD permissions in the /etc/sudoers file, then run sudo -K and brew cask install java. You should still be prompted for a password.

My issue with the SUDO_ASKPASS approach is that, on some level, that requires exposing the sudo password in cleartext so that anyone else logged in as that user could sniff it. I think it would be less exposure to leverage the sudo credential cache by reading in the password from stdin (i.e. not exposed in the process table). Then when you're done running brew cask (un)install ..., execute sudo -K. IMO, this is the best approach I can think of that reduces the exposure of the sudo password. I have yet to test this approach in a bridged/SSH-connected inventory, so I'll get back to you on whether or not this is feasible (assuming no one beats me to it).

[elliotweiser]

@JulianArevalo I like the approach you shared above. The trick will be re-running it/updating until all declared casks are installed. This will likely necessitate separating the downloading and the installation into separate steps (see issues I linked for context). To wrap it up, there should be a final invocation of sudo -K or equivalent (probably by passing -K to become_flags to yet another command task).

[elliotweiser]

Regrettably, refreshing the sudo credential cache doesn't seem to work very well when the connection is SSH-based. Without ANSIBLE_SSH_PIPELINING=1, it just hangs indefinitely, and with it brew cask install seems to think that a TTY is required, even when that's not true. Still figuring out a the workaround-- I'm not giving up on this yet. 🕵️ 🤔

[mindrunner]

Hi @elliotweiser
This is still an issue for me. Is there any progress on it?

[elliotweiser]

@mindrunner Sorry it's still an issue. I'm gradually regaining my free time, so hopefully I can take another whack at it over the weekend.

[edrozenberg]

Ran into this issue also, and there are many confusing suggestions out there, none of which work, but luckily they did inspire a solution.

The solution below works thanks to this 2016 commit that added support for the SUDO_ASKPASS env var: https://github.com/Homebrew/brew/pull/1481/files

Assumes use of --ask-become-pass when running Ansible, or telling Ansible to load a vars file containing something like ansible_become_pass: 'sudo_pass_for_target_machine'

The general approach:

• Create an Ansible template shell script that spits out the necessary sudo password when it is run
• Set an env var SUDO_ASKPASS in Ansible playbook task(s) with value pointing to this shell script
• When the playbook task runs, any work requiring sudo will automatically execute the shell script to get a sudo password

Sample template - I keep it for example in <role>/templates/home/ansible/bin/sudo_askpass.tmp.sh.j2

#!/bin/sh

#
# sudo_askpass.tmp.sh
#

# NOTES:
# o This script provides a sudo password to programs that need it, when
#   referenced via the environment variable 'SUDO_ASKPASS'.
# o To make use of this script, set the SUDO_ASKPASS env var to point to it:
#   export SUDO_ASKPASS="${HOME}/.ansible/bin/sudo_askpass.tmp.sh"

echo '{{ ansible_become_pass }}'

Sample playbook that installs java using this approach:

# Create Ansible bin dir in home dir
- name: create ansible bin dir in home
  file: path=~/.ansible/bin/ state=directory

# Copy temporary sudo ask pass script
- name: copy sudo ask pass script
  template:
    src:    home/ansible/bin/sudo_askpass.tmp.sh.j2
    dest:   ~/.ansible/bin/sudo_askpass.tmp.sh
    mode:   0700
    backup: no

# Install Java homebrew cask
- name: install java
  homebrew_cask:
    name: java
    state: present
  environment:
    SUDO_ASKPASS: "{{ ansible_user_dir }}/.ansible/bin/sudo_askpass.tmp.sh"

# Delete temporary sudo ask pass script
- name: delete sudo ask pass script
  file: path=~/.ansible/bin/sudo_askpass.tmp.sh state=absent

[g0t4]

How about allow passwordless sudo for the duration of running a block of tasks that install casks like java?

- name: install casks that require sudo
  block:
    - name: allow passwordless sudo
      lineinfile: 
        path: /etc/sudoers
        line: 'foo ALL=(ALL) NOPASSWD: ALL'
      become: yes
    - homebrew_cask: state=upgraded name=java
    # todo - rest of casks (or other tasks) that require sudo
  always:
    - name: disable passwordless sudo
      lineinfile:
        path: /etc/sudoers
        line: 'foo ALL=(ALL) NOPASSWD: ALL'
        state: absent
      become: yes

[jonleighton]

I had success with @g0t4's approach. I was able to wire it up to the role like so (assumes a user var):

    - name: Install Homebrew packages
      block:
        - name: allow passwordless sudo
          lineinfile:
            path: /etc/sudoers
            line: '{{ user }} ALL=(ALL) NOPASSWD: ALL'
          become: yes
        - include_role:
            name: geerlingguy.homebrew
      always:
        - name: disable passwordless sudo
          lineinfile:
            path: /etc/sudoers
            line: '{{ user }} ALL=(ALL) NOPASSWD: ALL'
            state: absent
          become: yes

[danieljaouen]

Can everyone who still has this issue run a brew --version and an ansible --version for me? I'm looking into this issue, but I'm having problems replicating it with the latest Ansible and Homebrew.

[elliotweiser]

@danieljaouen You might want to check if your /etc/sudoers file allows password-less sudo already.

[danieljaouen]

My user doesn't have password-less sudo and I was correctly prompted for a password when I tried to install some of the given casks. Is it possible that this issue was corrected in one of the later versions of Ansible or Homebrew?

[danieljaouen]

For reference, here is the output from running a brew --version:

± brew --version
Homebrew 1.7.6
Homebrew/homebrew-core (git revision 7622ef; last commit 2018-10-03)
Homebrew/homebrew-cask (git revision 0b66b1; last commit 2018-10-02)

And an ansible --version:

○ ansible --version
ansible 2.6.5
  config file = /Users/dan/.ansible.cfg
  configured module search path = [u'/Users/dan/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/Cellar/ansible/2.6.5/libexec/lib/python2.7/site-packages/ansible
  executable location = /usr/local/bin/ansible
  python version = 2.7.15 (default, Sep 18 2018, 20:16:18) [GCC 4.2.1 Compatible Apple LLVM 9.1.0 (clang-902.0.39.2)]

[mindrunner]

What do you mean exactly by "correctly prompted"? Since ansible is used for automatisation, there is no place for prompts imho. The goal here should be, to make it possible to use ansible-become in some way, to elevate ansibles permission as needed without users intervention.

[danieljaouen]

Oh, I see what you mean. I had assumed that the prompt for the password was eaten by Ansible, and that was what you meant when you said "hangs forever".

I will have to look into a different solution for this, then.

Thanks for the reply.

[mindrunner]

Yes, you are absolutely right. The main goal however, should be a fully unattended process. :)

[danieljaouen]

@mindrunner You're right. Currently working on this here: ansible/ansible#46471

[Jarli01]

Microsoft-teams is one such app, where elevation to sudo is required to install.

Sample playbook

- name: Set up Macs
  hosts: apple_workstations
  user: admin
  become: true

  vars_files:
	- /home/ansi/playbook-skeleton/vaulted_vars.yml

  vars:
   ansible_become_pass: '{{ vaulted_become_pass }}'

  pre_tasks:
  # Create Ansible bin dir in home dir
	- name: create ansible bin dir in home
	  file: path=~/.ansible/bin/ state=directory

 #  Copy temporary sudo ask pass script
	- name: copy sudo ask pass script
	  template:
		src:    sudo_askpass.tmp.sh.j2
		dest:   ~/.ansible/bin/sudo_askpass.tmp.sh
		mode:   0700
		backup: no

  environment:
	SUDO_ASKPASS: "/usr/local/bin/sudo_askpass.tmp.sh"

  roles:
	- { role: geerlingguy.homebrew,
		homebrew_cask_apps: ['microsoft-teams','fontbase'],
		homebrew_user: admin, homebrew_group: admin,
		homebrew_cask_uninstalled_apps: ['1password','katana']}

  post_tasks:
	- name: delete sudo ask pass script
	  file: path=~/.ansible/bin/sudo_askpass.tmp.sh state=absent

Resulting output

 ansible-playbook apple-big.yml -i hosts --ask-vault-pass vaulted_vars.yml -K
BECOME password:
Vault password:

PLAY [Set up Macs] **************************************************************************************************************************************************************************************************************************

TASK [Gathering Facts] **********************************************************************************************************************************************************************************************************************
Thursday 18 July 2019  11:48:09 -0400 (0:00:00.069)       0:00:00.069 *********
ok: [ip.ip.ip.ip]

TASK [create ansible bin dir in home] *******************************************************************************************************************************************************************************************************
Thursday 18 July 2019  11:48:11 -0400 (0:00:01.269)       0:00:01.338 *********
ok: [ip.ip.ip.ip]

TASK [copy sudo ask pass script] ************************************************************************************************************************************************************************************************************
Thursday 18 July 2019  11:48:11 -0400 (0:00:00.730)       0:00:02.069 *********
changed: [ip.ip.ip.ip]

TASK [elliotweiser.osx-command-line-tools : Am I running on Mac OS X?] **********************************************************************************************************************************************************************
Thursday 18 July 2019  11:48:13 -0400 (0:00:01.602)       0:00:03.672 *********
skipping: [ip.ip.ip.ip]

TASK [elliotweiser.osx-command-line-tools : Remove existing Command Line Tools installation] ************************************************************************************************************************************************
Thursday 18 July 2019  11:48:13 -0400 (0:00:00.032)       0:00:03.704 *********
[DEPRECATION WARNING]: evaluating force_install as a bare variable, this behaviour will go away and you might need to add |bool to the expression in the future. Also see CONDITIONAL_BARE_VARS configuration toggle.. This feature will be
removed in version 2.12. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
skipping: [ip.ip.ip.ip]

TASK [elliotweiser.osx-command-line-tools : Check that the Command Line Tools path is present] **********************************************************************************************************************************************
Thursday 18 July 2019  11:48:13 -0400 (0:00:00.028)       0:00:03.733 *********
ok: [ip.ip.ip.ip]

TASK [elliotweiser.osx-command-line-tools : Is the C++ compiler useable?] *******************************************************************************************************************************************************************
Thursday 18 July 2019  11:48:13 -0400 (0:00:00.474)       0:00:04.207 *********
ok: [ip.ip.ip.ip]

TASK [elliotweiser.osx-command-line-tools : Check the Command Line Tools package metadata] **************************************************************************************************************************************************
Thursday 18 July 2019  11:48:14 -0400 (0:00:00.741)       0:00:04.949 *********
ok: [ip.ip.ip.ip]

TASK [elliotweiser.osx-command-line-tools : Prepare to install Command Line Tools] **********************************************************************************************************************************************************
Thursday 18 July 2019  11:48:15 -0400 (0:00:00.498)       0:00:05.447 *********
skipping: [ip.ip.ip.ip]

TASK [elliotweiser.osx-command-line-tools : Check for Command Line Tools in Software Update list] *******************************************************************************************************************************************
Thursday 18 July 2019  11:48:15 -0400 (0:00:00.035)       0:00:05.483 *********
skipping: [ip.ip.ip.ip]

TASK [elliotweiser.osx-command-line-tools : Install Command Line Tools] *********************************************************************************************************************************************************************
Thursday 18 July 2019  11:48:15 -0400 (0:00:00.035)       0:00:05.519 *********
skipping: [ip.ip.ip.ip]

TASK [geerlingguy.homebrew : Determine Homebrew ownership variables] ************************************************************************************************************************************************************************
Thursday 18 July 2019  11:48:15 -0400 (0:00:00.036)       0:00:05.555 *********
ok: [ip.ip.ip.ip]

TASK [geerlingguy.homebrew : Ensure Homebrew parent directory has correct permissions (MacOS >= 10.13).] ************************************************************************************************************************************
Thursday 18 July 2019  11:48:15 -0400 (0:00:00.036)       0:00:05.592 *********
ok: [ip.ip.ip.ip]

TASK [geerlingguy.homebrew : Ensure Homebrew parent directory has correct permissions (MacOS < 10.13).] *************************************************************************************************************************************
Thursday 18 July 2019  11:48:15 -0400 (0:00:00.460)       0:00:06.053 *********
skipping: [ip.ip.ip.ip]

TASK [geerlingguy.homebrew : Ensure Homebrew directory exists.] *****************************************************************************************************************************************************************************
Thursday 18 July 2019  11:48:15 -0400 (0:00:00.034)       0:00:06.087 *********
ok: [ip.ip.ip.ip]

TASK [geerlingguy.homebrew : Ensure Homebrew is installed.] *********************************************************************************************************************************************************************************
Thursday 18 July 2019  11:48:16 -0400 (0:00:00.466)       0:00:06.554 *********
ok: [ip.ip.ip.ip]

TASK [geerlingguy.homebrew : Ensure proper permissions and ownership on homebrew_brew_bin_path dirs.] ***************************************************************************************************************************************
Thursday 18 July 2019  11:48:16 -0400 (0:00:00.582)       0:00:07.137 *********
ok: [ip.ip.ip.ip]

TASK [geerlingguy.homebrew : Ensure proper ownership on homebrew_install_path subdirs.] *****************************************************************************************************************************************************
Thursday 18 July 2019  11:48:17 -0400 (0:00:00.464)       0:00:07.602 *********
ok: [ip.ip.ip.ip]

TASK [geerlingguy.homebrew : Check if homebrew binary is already in place.] *****************************************************************************************************************************************************************
Thursday 18 July 2019  11:48:17 -0400 (0:00:00.454)       0:00:08.056 *********
ok: [ip.ip.ip.ip]

TASK [geerlingguy.homebrew : Symlink brew to homebrew_brew_bin_path.] ***********************************************************************************************************************************************************************
Thursday 18 July 2019  11:48:18 -0400 (0:00:00.462)       0:00:08.518 *********
skipping: [ip.ip.ip.ip]

TASK [geerlingguy.homebrew : Ensure proper homebrew folders are in place.] ******************************************************************************************************************************************************************
Thursday 18 July 2019  11:48:18 -0400 (0:00:00.035)       0:00:08.554 *********
ok: [ip.ip.ip.ip] => (item=Cellar)
ok: [ip.ip.ip.ip] => (item=Homebrew)
ok: [ip.ip.ip.ip] => (item=Frameworks)
ok: [ip.ip.ip.ip] => (item=Caskroom)
ok: [ip.ip.ip.ip] => (item=bin)
ok: [ip.ip.ip.ip] => (item=etc)
ok: [ip.ip.ip.ip] => (item=include)
ok: [ip.ip.ip.ip] => (item=lib)
ok: [ip.ip.ip.ip] => (item=opt)
ok: [ip.ip.ip.ip] => (item=sbin)
ok: [ip.ip.ip.ip] => (item=share)
ok: [ip.ip.ip.ip] => (item=share/zsh)
ok: [ip.ip.ip.ip] => (item=share/zsh/site-functions)
ok: [ip.ip.ip.ip] => (item=var)

TASK [geerlingguy.homebrew : Force update brew after installation.] *************************************************************************************************************************************************************************
Thursday 18 July 2019  11:48:24 -0400 (0:00:06.130)       0:00:14.685 *********
skipping: [ip.ip.ip.ip]

TASK [geerlingguy.homebrew : Where is the cache?] *******************************************************************************************************************************************************************************************
Thursday 18 July 2019  11:48:24 -0400 (0:00:00.045)       0:00:14.730 *********
ok: [ip.ip.ip.ip]

TASK [geerlingguy.homebrew : Ensure configured taps are tapped.] ****************************************************************************************************************************************************************************
Thursday 18 July 2019  11:48:25 -0400 (0:00:01.336)       0:00:16.067 *********
ok: [ip.ip.ip.ip] => (item=homebrew/core)
ok: [ip.ip.ip.ip] => (item=homebrew/cask)

TASK [geerlingguy.homebrew : Ensure blacklisted cask applications are not installed.] *******************************************************************************************************************************************************
Thursday 18 July 2019  11:48:28 -0400 (0:00:02.992)       0:00:19.060 *********
ok: [ip.ip.ip.ip] => (item=1password)
ok: [ip.ip.ip.ip] => (item=katana)

TASK [geerlingguy.homebrew : Install configured cask applications.] *************************************************************************************************************************************************************************
Thursday 18 July 2019  11:48:32 -0400 (0:00:03.382)       0:00:22.443 *********
failed: [ip.ip.ip.ip] (item=microsoft-teams) => {"ansible_loop_var": "item", "changed": false, "item": "microsoft-teams", "msg": "Updating Homebrew...\nsudo: unable to run /usr/local/bin/sudo_askpass.tmp.sh: No such file or directory\nError: Failure while executing; `/usr/bin/sudo -A -E -- env LOGNAME=administrative-user USER=administrative-user USERNAME=administrative-user /usr/sbin/installer -pkg /usr/local/Caskroom/microsoft-teams/1.2.00.13765/Teams_osx.pkg -target /` exited with 1. Here's the output:\nsudo: unable to run /usr/local/bin/sudo_askpass.tmp.sh: No such file or directory\nFollow the instructions here:\n  https://github.com/Homebrew/homebrew-cask#reporting-bugs\n/usr/local/Homebrew/Library/Homebrew/system_command.rb:109:in `assert_success'\n/usr/local/Homebrew/Library/Homebrew/system_command.rb:52:in `run!'\n/usr/local/Homebrew/Library/Homebrew/system_command.rb:29:in `run'\n/usr/local/Homebrew/Library/Homebrew/system_command.rb:33:in `run!'\n/usr/local/Homebrew/Library/Homebrew/cask/artifact/pkg.rb:59:in `block in run_installer'\n/usr/local/Homebrew/Library/Homebrew/cask/artifact/pkg.rb:65:in `with_choices_file'\n/usr/local/Homebrew/Library/Homebrew/cask/artifact/pkg.rb:52:in `run_installer'\n/usr/local/Homebrew/Library/Homebrew/cask/artifact/pkg.rb:34:in `install_phase'\n/usr/local/Homebrew/Library/Homebrew/cask/installer.rb:214:in `block in install_artifacts'\n/System/Library/Frameworks/Ruby.framework/Versions/2.3/usr/lib/ruby/2.3.0/set.rb:674:in `each'\n/System/Library/Frameworks/Ruby.framework/Versions/2.3/usr/lib/ruby/2.3.0/set.rb:674:in `each'\n/usr/local/Homebrew/Library/Homebrew/cask/installer.rb:205:in `install_artifacts'\n/usr/local/Homebrew/Library/Homebrew/cask/installer.rb:103:in `install'\n/usr/local/Homebrew/Library/Homebrew/cask/cmd/install.rb:23:in `block in run'\n/usr/local/Homebrew/Library/Homebrew/cask/cmd/install.rb:16:in `each'\n/usr/local/Homebrew/Library/Homebrew/cask/cmd/install.rb:16:in `run'\n/usr/local/Homebrew/Library/Homebrew/cask/cmd/abstract_command.rb:36:in `run'\n/usr/local/Homebrew/Library/Homebrew/cask/cmd.rb:93:in `run_command'\n/usr/local/Homebrew/Library/Homebrew/cask/cmd.rb:159:in `run'\n/usr/local/Homebrew/Library/Homebrew/cask/cmd.rb:124:in `run'\n/usr/local/Homebrew/Library/Homebrew/cmd/cask.rb:9:in `cask'\n/usr/local/Homebrew/Library/Homebrew/brew.rb:102:in `<main>'"}
ok: [ip.ip.ip.ip] => (item=fontbase)

PLAY RECAP **********************************************************************************************************************************************************************************************************************************
ip.ip.ip.ip             : ok=17   changed=1    unreachable=0    failed=1    skipped=8    rescued=0    ignored=0

Thursday 18 July 2019  11:48:47 -0400 (0:00:15.281)       0:00:37.724 *********
===============================================================================
geerlingguy.homebrew --------------------------------------------------- 32.17s
elliotweiser.osx-command-line-tools ------------------------------------- 1.88s
template ---------------------------------------------------------------- 1.60s
gather_facts ------------------------------------------------------------ 1.27s
file -------------------------------------------------------------------- 0.73s
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
total ------------------------------------------------------------------ 37.66s
Playbook run took 0 days, 0 hours, 0 minutes, 37 seconds

[Jarli01]

As the OP stated, using visudo to edit the sudoers file with NOPASS:ALL for the administrator account does work around this, but it seems like a bad approach to have to go and do.

[elliotweiser]

The upstream fix was purportedly merged and available in Ansible 2.8. If so, then it's time to follow this up.

[Cubixzno1]

This is still quite an issue.. Is there a fix on the way? :-)

[mindrunner]

This is still quite an issue.. Is there a fix on the way? :-)

Can you give more information about your issue? 2.8 was released a while ago.

[geerlingguy]

Ansible 2.8's been out a while; I don't currently have this issue, so if someone can file a PR with any necessary changes I'd be happy to take a look at some point...

[elliotweiser]

I'm reviewing some of the open PRs today so I'll check that the homebrew module updates in 2.8 change will perma-fix this.

[Cubixzno1]

I’m not having problems with the “hanging”. The app works well but i was wondering if it was possible to skip the sudo pass. For instance when I’m trying to install adobe reader through cask it needs my password?

[mRs-]

Hey there, I try to Install java through a case and it's hanging for me on the installation process. Any advice for this?

[stale]

This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!

Please read this blog post to see the reasons why I mark issues as stale.

[stale]

This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.

[dalisoft]

I have same issue, how to resolve? Thanks

[csjones]

Hitting this issue with ansible 2.9.9 when installing adoptopnjdk8, anka-flow, parallels, and rescuetime.

[Jarli01]

The only way I was able to get this to work was to setup the target using visudo and adding my administrative user to be allowed to use nopasswd

This is a bit of a rough guide and actually edits the /etc/sudoers/ file, ideally you should make a file under this ie /etc/sudoers/myadminaccount which has the custom permissions for your use case.

If you break this file (/etc/sudoers) by messing up the permissions you'll be unable to make any administrative changes and have to boot into recovery mode and reset the file using the OSX Recovery terminal to mount the drive and manually edit the permissions.

[stale]

This issue is no longer marked for closure.

[stale]

This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!

Please read this blog post to see the reasons why I mark issues as stale.

[moltar]

Running into this too...

[stale]

This issue is no longer marked for closure.

[Alfablos]

How about allow passwordless sudo for the duration of running a block of tasks that install casks like java?

- name: install casks that require sudo
  block:
    - name: allow passwordless sudo
      lineinfile: 
        path: /etc/sudoers
        line: 'foo ALL=(ALL) NOPASSWD: ALL'
      become: yes
    - homebrew_cask: state=upgraded name=java
    # todo - rest of casks (or other tasks) that require sudo
  always:
    - name: disable passwordless sudo
      lineinfile:
        path: /etc/sudoers
        line: 'foo ALL=(ALL) NOPASSWD: ALL'
        state: absent
      become: yes

I'm stuck at this too :( It's been a while it seems :/
I'll try @jonleighton 's solution!

[theque5t]

I was able to get through this via a slight modification to the role. See below:

Changed the task at 111 in main.yml from this:

    - name: Install configured cask applications.
      homebrew_cask:
        name: "{{ item.name | default(item) }}"
        state: present
        install_options: "{{ item.install_options | default('appdir=' + homebrew_cask_appdir) }}"
        accept_external_apps: "{{ homebrew_cask_accept_external_apps }}"
      loop: "{{ homebrew_cask_apps }}"
      notify:
        - Clear homebrew cache

to this:

    - name: Install configured cask applications.
      homebrew_cask:
        name: "{{ item.name | default(item) }}"
        state: present
        install_options: "{{ item.install_options | default('appdir=' + homebrew_cask_appdir) }}"
        accept_external_apps: "{{ homebrew_cask_accept_external_apps }}"
        sudo_password: "{{ homebrew_cask_sudo_password | default(omit) }}"
      loop: "{{ homebrew_cask_apps }}"
      notify:
        - Clear homebrew cache

[snacks-lord]

I am having this same exact issue while using JAMF. No safe solution yet?

[geerlingguy]

Hmm... It seems like it should be simpler to support this, but I can't think of a really clean way to do it besides something like what @theque5t suggests.

We could add an optional variable homebrew_cask_sudo_password (and does that work if it's just set to '' by default?). Is there any way, if you've used the -K option (--ask-become-pass) on the command line, to have that password passed in as a variable to a task? That way at least we could save someone storing their sudo password in text somewhere...

Alternatively you could use vars_prompt to prompt for a sudo password if required.

[geerlingguy]

Closing all issues in this repository in preparation for a migration to geerlingguy.mac—see #166