# Sudo: a password is required + Incorrect sudo password

**URL:** https://discourse.roots.io/t/sudo-a-password-is-required-incorrect-sudo-password/8058
**Category:** trellis
**Created:** 2016-11-08T09:04:43Z
**Posts:** 2

## Post 1 by @DreamOn — 2016-11-08T09:04:44Z

Hello everybody,

In deploy.yml file, I add custom hook:

`deploy_initialize_before: "{{ playbook_dir }}/deploy-hooks/initialize-before.yml"`

In this hook, I would like to create a file in directory which required permission, so I do this:

```
---
- name: Create file
  command: touch /var/lib/mysql/test_file
  become: yes
  become_user: admin
```

But it’s doesn’t work, I have this error message:

```
sudo: a password is required
```

I try to add --ask-become-pass, I enter the password but I have this error message:

```
Incorrect sudo password
```

I try to edit visudo and add the following:

```
admin ALL=(ALL) NOPASSWD:ALL
root ALL=(ALL) NOPASSWD:ALL
```

But it doesn’t work.

Can you help me?

Thanks.

---

## Post 2 by @fullyint — 2016-11-09T20:45:52Z

@DreamOn I would have tried exactly what you described. After playing around with it, I think I understand the problem generally, although I may be incorrect on some details.

Only the user `root` has adequate permissions to create the file, but I think your task was trying as `admin`.

The `deploy.yml` playbook makes its SSH connections as the [`web_user`](https://github.com/roots/trellis/blob/9069df80034dd76b6bf78370a746a76e43e08a35/deploy.yml#L8).  
I believe your [`become_user`](http://docs.ansible.com/ansible/become.html)`: admin` parameter is similar to running `sudo -u admin touch <file>`, i.e., the `web_user` becomes `admin` and tries to touch the file, but fails because only `root` has permission.

So, you need to become `root` then `touch` the file. The `admin` user is already a sudoer so it would be easiest to use the [`remote_user`](https://github.com/lorin/ansible-quickref#task-parameters) task parameter to make this task’s SSH connection as `admin` instead of `web_user`. The `become: yes` will default to becoming the `root` user.

The following change is like SSHing as `admin` then running `sudo touch <file>`:

```
- name: Create file
   command: touch /var/lib/mysql/test_file
   become: yes
- become_user: admin
+ remote_user: admin
```

If I were writing the task, I’d use [Ansible’s file module](http://docs.ansible.com/ansible/file_module.html) like this:

```
- name: Create file
  file:
    dest: /var/lib/mysql/test_file
    state: touch
  become: yes
  remote_user: "{{ admin_user }}"
```

* * *

The deploy playbook intentionally only connects as the `web_user`, who has limited permissions compared to the `admin_user`. Adding `remote_user: "{{ admin_user }}"` as above breaks this pattern. This could be a problem if you want to allow limited privilege colleagues to deploy (colleagues with ability to run only as `web_user`, not `admin_user`).

If adding the `remote_user: "{{ admin_user }}"` parameter causes this problem for you, see the example of how Trellis enables the `web_user` to run [`sudo service php7.0-fpm reload`](https://github.com/roots/trellis/blob/9069df80034dd76b6bf78370a746a76e43e08a35/roles/deploy/hooks/finalize-after.yml#L34) by [adding a permission to sudoers.d.j2](https://github.com/roots/trellis/blob/9069df80034dd76b6bf78370a746a76e43e08a35/roles/users/tasks/main.yml#L41) that lets `web_user` run [sudo `service` commands](https://github.com/roots/trellis/blob/9069df80034dd76b6bf78370a746a76e43e08a35/roles/users/templates/sudoers.d.j2#L4) without a password.