Ansible - Privilege Escalation - Become

Change user after login ( usually sudo ):

play level
task level

Command line args:

–ask-pass, -k	ask for connection password
–ask-become-pass, -K	not specifying this can cause a playbook to hang
–become, -b	usually sudo to gain root priveleges
–become-method=BECOME_METHOD	sudo is default but can select others
–become-user=BECOME_USER	in case you want something other than root

Playbook options ( specify inside playbook, don’t need to but you can ):

become	enable become, doesn’t imply prompting
become_user	user to become, default is root, doesn’t imply become
become_method	alternate methods you could use
become_flags	additional flags ….

NOTE remote_user used to be ‘user’
NOTE - Might need to install sshpass before you can prompt for SSH passwords( see install page )

User and become:


ansible-playbook book.yaml        # using SSH key and no need to sudo
ansible-playbook -k book.yaml     # prompt for SSH password
ansible-playbook -kKb book.yaml   # prompt for SSH password and sudo password
ansible-playbook -b book.yaml     # works with SSH key and passwordless sudo


---
- hosts: webservers
  remote_user: admin
  become: yes
  become_user: postgres
  become_method: su

Remote user per task:



---
- hosts: webservers
  remote_user: admin
  tasks:
    - name: test connection
      ping:
      remote_user: postgres

Become on a per task level, root by default:



- name: Ensure the httpd service is running
  service:
    name: httpd
    state: started
  become: yes

Become apache user:



- name: Run a command as the apache user
  command: somecommand
  become: yes
  become_user: apache

ISSUE

if become user is unprivileged the modules that are copied over are made world readable ( sec issue )
sometimes this also doesn’t work and breaks things
workarounds exist, including pipelining, ( or chownin when copied as root in v 2.1 and up )
v 2.1 and up won’t allow world readable by default (results in error), fix with this:

ansible.cfg

allow_world_readable_tmpfiles

More Info

List of potentially useful variables for connection, etc:



ansible_host         # if different from alias
ansible_port
ansible_user         # connect as user
ansible_password     # prompt for password input
ansible_ssh_private_key_file
ansible_ssh_common_args  # sftp, scp, and ssh
ansible_sftp_extra_args
ansible_scp_extra_args
ansible_ssh_extra_args
ansible_ssh_pipelining
ansible_ssh_executable

ansible_become   # like ansible_sudo or ansible_su
ansible_become_method
ansible_become_user
ansible_become_password

Extra Info

pipelining feature exists
enable mode for network automation

Windows

Become on windows with runas:

SeDebugPrivilege
Turn UAC off ( could be used )



- Check my user name
  ansible.windows.win_whoami:
  become: yes