Ansible - Privilege Escalation - Become
Change user after login ( usually sudo ):
- play level
- task level
Playbook options:
| become | enable become |
| become_user | user to become, default is root, doesn’t imply become |
| become_method | alternate methods you could use |
| become_flags | additional flags …. |
Command line args:
| –ask-become-pass, -K for short) | not specifying this can cause a playbook to hang |
| –become, -b | |
| –become-method=BECOME_METHOD | |
| –become-user=BECOME_USER |
Become root by default:
- name: Ensure the httpd service is running
service:
name: httpd
state: started
become: yes
Become apache user:
- name: Run a command as the apache user
command: somecommand
become: yes
become_user: apache
| ansible_user | ssh user?????? |
Additional variables:
| ansible_become |
| ansible_become_method |
| ansible_become_user |
| ansible_become_password |
| ansible_common_remote_group |
- NOTE - Becoming an unprivileged user can cause complications but usually won’t.
Extra info
- pipelining feature exists
- enable mode for network automation
Windows
Become on windows with runas:
- SeDebugPrivilege
- Turn UAC off ( could be used )
- Check my user name
ansible.windows.win_whoami:
become: yes