FreeKB - Ansible Understanding Become Privilege Escalation
Ansible - Understanding Become Privilege Escalation

Let's say john.doe wants to issue a command that requires elevated privileges. If sudo is not used, "permission denied" will be returned.

[john.doe@server1 ~]# reboot
reboot: Permission denied

 

Likewise, if John Doe attempts to reboot using the shell module without using sudo . . .

---
- hosts: all
  tasks:
    - name: "reboot server"
      shell: "reboot"

 

"permission denied" will be returned.

[Errno 13] Permission denied

 

On a systemd system, the systemctl command is used to reboot the system, and only root has permission to execute the systemctl command.

[john.doe@server1 ~]# ls -l /bin/systemctl
-rwxr-xr-x. 1 root root 717568 Feb  4 10:30 /bin/systemctl

 

Let's say john.doe uses sudo to invoke the reboot command.

[john.doe@server1 ~]# sudo reboot

 

If john.doe has not been added to the /etc/sudoers file, the following will be displayed.

john.doe is not in the sudoers file. This incident will be reported.

 

If john.doe has been added to the /etc/sudoers file, but has not been granted permission to the command being issued, the following will be displayed.

john.doe is not allowed to run sudo on server1.  This incident will be reported.

 

John Doe can be granted permission to the reboot command (or any other command).

 

If John Doe is granted sudo permission with password, John will be prompted to provide his password, like this.

[john.doe@server1 ~]# sudo reboot
Password for john.doe: ******

 

If John Doe is granted sudo permission with the NOPASSWD option, John will not be prompted to provide his password and the system will reboot.

[john.doe@server1 ~]# sudo reboot

 

Let's say john.doe attempts to reboot server1 using the shell module and sudo.

---
- hosts: all
  tasks:
    - name: "reboot using sudo"
      shell: "sudo reboot"

 

Assuming the following option is commented out in ansible.cfg or set to true . . .

# command_warnings = False

 

. . . and you are not using the warn parameter, like this . . .

- name: "reboot using sudo"
  shell: "sudo reboot"
  warn: "false"

 

Invoking the play should return the following warning. 

[WARNING]: Consider using 'become', 'become_method', and 'become_user' rather than running sudo

 

As the warning suggests, "become" should be used. There are different ways to use "become":



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter 495bb in the box below so that we can be sure you are a human.




Comments

Web design by yours truely - me, myself, and I   |   jeremy.canfield@freekb.net   |