Ansible - Privilege Escalation - Become
Change user after login ( usually sudo ):
- play level
- task level
Playbook options:
become | enable become |
become_user | user to become, default is root, doesn’t imply become |
become_method | alternate methods you could use |
become_flags | additional flags …. |
Command line args:
–ask-become-pass, -K for short) | not specifying this can cause a playbook to hang |
–become, -b | |
–become-method=BECOME_METHOD | |
–become-user=BECOME_USER |
Become root by default:
- name: Ensure the httpd service is running
service:
name: httpd
state: started
become: yes
Become apache user:
- name: Run a command as the apache user
command: somecommand
become: yes
become_user: apache
ansible_user | ssh user?????? |
Additional variables:
ansible_become |
ansible_become_method |
ansible_become_user |
ansible_become_password |
ansible_common_remote_group |
- NOTE - Becoming an unprivileged user can cause complications but usually won’t.
Extra info
- pipelining feature exists
- enable mode for network automation
Windows
Become on windows with runas:
- SeDebugPrivilege
- Turn UAC off ( could be used )
- Check my user name
ansible.windows.win_whoami:
become: yes