Bootstrap FreeKB - Ansible - Understanding Become Privilege Escalation
Ansible - Understanding Become Privilege Escalation

Updated:   |  Ansible articles

Let's say john.doe wants to issue a command that requires elevated privileges. If sudo is not used, "permission denied" will be returned.

[john.doe@server1 ~]# reboot
reboot: Permission denied

 

Likewise, if John Doe attempts to reboot using the shell module without using sudo . . .

---
- hosts: all
  tasks:
    - name: "reboot server"
      shell: "reboot"

 

"permission denied" will be returned.

[Errno 13] Permission denied

 

On a systemd system, the systemctl command is used to reboot the system, and only root has permission to execute the systemctl command.

[john.doe@server1 ~]# ls -l /bin/systemctl
-rwxr-xr-x. 1 root root 717568 Feb  4 10:30 /bin/systemctl

 

Let's say john.doe uses sudo to invoke the reboot command.

[john.doe@server1 ~]# sudo reboot

 

If john.doe has not been added to the /etc/sudoers file, the following will be displayed.

john.doe is not in the sudoers file. This incident will be reported.

 

If john.doe has been added to the /etc/sudoers file, but has not been granted permission to the command being issued, the following will be displayed.

john.doe is not allowed to run sudo on server1.  This incident will be reported.

 

John Doe can be granted permission to the reboot command (or any other command).

 

If John Doe is granted sudo permission with password, John will be prompted to provide his password, like this.

[john.doe@server1 ~]# sudo reboot
Password for john.doe: ******

 

If John Doe is granted sudo permission with the NOPASSWD option, John will not be prompted to provide his password and the system will reboot.

[john.doe@server1 ~]# sudo reboot

 

Let's say john.doe attempts to reboot server1 using the shell module and sudo.

---
- hosts: all
  tasks:
    - name: "reboot using sudo"
      shell: "sudo reboot"

 

Assuming the following option is commented out in ansible.cfg or set to true . . .

# command_warnings = False

 

. . . and you are not using the warn parameter, like this . . .

- name: "reboot using sudo"
  shell: "sudo reboot"
  warn: "false"

 

Invoking the play should return the following warning. 

[WARNING]: Consider using 'become', 'become_method', and 'become_user' rather than running sudo

 

As the warning suggests, "become" should be used. There are different ways to use "become":




Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee



Comments


Add a Comment


Please enter 31a2fa in the box below so that we can be sure you are a human.