Using Ansible, you can perform various operations on remote machines using raw commands or Ansible playbooks. By default, an Ansible playbook is executed on the remote host as the same user on the Ansible controller. That means that if you need to run a command as another user on the remote machine, you will need to specify it explicitly in your Ansible playbook.
To implement the functionality of running commands as another user, you will need to use the sudo feature that is available in Linux systems. The Ansible become directive allows you to run commands as the specified user.
The user’s information is specified in an Ansible playbook using the become variables, such as become_pass, to specify the password of the user become_user, as well as which user can run the command.
How to Run Ansible Tasks as Root
To run a specific command as the root user in Ansible, you can implement the become directive and set the value to ‘true.’ Doing this tells Ansible to implement sudo with no arguments when running the command.
For example, consider an Ansible playbook that updates the MySQL-server package and then restarts it. In normal Linux operations, you would need to log in as the root user to perform such tasks. In Ansible, you can simply call the become: yes directive, as shown below:
become: yes
tasks:
- name: Ansible run as root and update sys
yum:
name: mysql-server
state: latest
- name:
service.service:
name: mysqld
state: restarted
In the above playbook, we used the become directive and did not specify the become_user user, since any commands under the become directive are run as root by default.
This is similar to specifying it as:
become: yes
become_user: root
tasks:
- name: Ansible run as root and update sys
yum:
name: mysql-server
state: latest
- name:service.service:
name: mysqld
state: restarted
How to Run Ansible Tasks as Sudo
To run an Ansible task as a specific user, rather than the normal root user, you can use the become_user directive and pass the user’s username to execute the task. This is quite like using the sudo -u command in Unix.
To implement the become_user directive, you must activate the become directive first, as the become_user is unusable without this directive activated.
Consider the following playbook, in which the command is run as the nobody user.
command: ps aux
become: true
become_method: su
become_user: nobody
become_flags: '-s /bin/bash'
In the above playbook snippet, we implemented the become, become_user, and other become directives.
- become_method: This sets the privilege escalation method, such as su or sudo.
- become_user directive: This specifies the user to run the command as; this does not imply become: yes.
- become_flags: This sets the flags to be used for the specified task.
You can now run the above playbook with the ansible-playbook filename.yml and see the result for yourself. For tasks with an output, you may need to implement the debug module.
How to Run Ansible become with Password
To run a become directive that requires a password, you can tell Ansible to ask for a password when invoking the specified playbook.
For example, to run a playbook with a password, enter the command below:
You can also specify the -K flag, which performs similar operations to the above command. For example:
Once specified, you will be prompted for a password when the tasks are executing.
NOTE: You can also use the become directive in Ansible AD HOC raw commands using the -b flag. To learn more, check out the documentation provided below:
https://linkfy.to/becomeDocumentation
Conclusion
After reading this article, you should now know how to use the Ansible BECOME directive to perform privileges escalation for various tasks.
For security reasons, it is better to implement restrictions for various accounts and explicitly specify when they are used. So, privileges escalation is an important aspect of using of sudo and su in Ansible.
