2018-03-14 19:44:21 +00:00
.. _become:
2018-02-13 15:23:55 +00:00
***** ***** ***** ***** ***** ***** *** *
Understanding Privilege Escalation
***** ***** ***** ***** ***** ***** *** *
2014-11-24 21:36:31 +00:00
Ansible can use existing privilege escalation systems to allow a user to execute tasks as another.
.. contents :: Topics
Become
2017-12-07 10:27:43 +00:00
======
2018-05-25 15:52:53 +00:00
Ansible allows you to 'become' another user, different from the user that logged into the machine (remote user). This is done using existing privilege escalation tools such as `sudo` , `su` , `pfexec` , `doas` , `pbrun` , `dzdo` , `ksu` , `runas` , `machinectl` and others.
2014-11-24 21:36:31 +00:00
2017-10-13 01:40:47 +00:00
.. note :: Prior to version 1.9, Ansible mostly allowed the use of `sudo` and a limited use of `su` to allow a login/remote user to become a different user and execute tasks and create resources with the second user's permissions. As of Ansible version 1.9, `become` supersedes the old sudo/su, while still being backwards compatible. This new implementation also makes it easier to add other privilege escalation tools, including `pbrun` (Powerbroker), `pfexec` , `dzdo` (Centrify), and others.
2016-02-05 01:35:12 +00:00
2017-12-07 10:27:43 +00:00
.. note :: Become vars and directives are independent. For example, setting `` become_user `` does not set `` become `` .
2016-02-24 15:58:40 +00:00
2016-02-05 01:35:12 +00:00
Directives
2017-12-07 10:27:43 +00:00
==========
2016-12-11 02:50:09 +00:00
These can be set from play to task level, but are overridden by connection variables as they can be host specific.
2014-11-24 21:36:31 +00:00
become
2017-12-07 10:27:43 +00:00
set to `` yes `` to activate privilege escalation.
2014-11-24 21:36:31 +00:00
become_user
2017-12-07 10:27:43 +00:00
set to user with desired privileges — the user you `become` , NOT the user you login as. Does NOT imply `` become: yes `` , to allow it to be set at host level.
2014-11-24 21:36:31 +00:00
become_method
2018-05-25 15:52:53 +00:00
(at play or task level) overrides the default method set in ansible.cfg, set to `sudo` /`su` /`pbrun` /`pfexec` /`doas` /`dzdo` /`ksu` /`runas` /`machinectl`
2014-11-24 21:36:31 +00:00
2016-08-30 19:29:00 +00:00
become_flags
2017-10-13 01:40:47 +00:00
(at play or task level) permit the use of specific flags for the tasks or role. One common use is to change the user to nobody when the shell is set to no login. Added in Ansible 2.2.
2016-08-30 19:29:00 +00:00
2016-05-27 21:54:05 +00:00
For example, to manage a system service (which requires `` root `` privileges) when connected as a non-`` root `` user (this takes advantage of the fact that the default value of `` become_user `` is `` root `` )::
- name: Ensure the httpd service is running
service:
name: httpd
2016-06-07 02:28:20 +00:00
state: started
2017-12-07 10:27:43 +00:00
become: yes
2016-05-27 21:54:05 +00:00
To run a command as the `` apache `` user::
2016-07-18 08:59:45 +00:00
- name: Run a command as the apache user
2016-05-27 21:54:05 +00:00
command: somecommand
2017-12-07 10:27:43 +00:00
become: yes
2016-05-27 21:54:05 +00:00
become_user: apache
2014-11-24 21:36:31 +00:00
2016-08-30 19:29:00 +00:00
To do something as the `` nobody `` user when the shell is nologin::
- name: Run a command as nobody
command: somecommand
2017-12-07 10:27:43 +00:00
become: yes
2016-08-30 19:29:00 +00:00
become_method: su
become_user: nobody
become_flags: '-s /bin/sh'
2016-02-05 01:35:12 +00:00
Connection variables
--------------------
Each allows you to set an option per group and/or host, these are normally defined in inventory but can be used as normal variables.
2014-11-24 21:36:31 +00:00
ansible_become
2016-02-05 01:35:12 +00:00
equivalent of the become directive, decides if privilege escalation is used or not.
2014-11-24 21:36:31 +00:00
ansible_become_method
2017-12-07 10:27:43 +00:00
which privilege escalation method should be used
2014-11-24 21:36:31 +00:00
ansible_become_user
2017-12-07 10:27:43 +00:00
set the user you become through privilege escalation; does not imply `` ansible_become: yes ``
2014-11-24 21:36:31 +00:00
ansible_become_pass
2017-12-07 10:27:43 +00:00
set the privilege escalation password. See :doc: `playbooks_vault` for details on how to avoid having secrets in plain text
2014-11-24 21:36:31 +00:00
2016-05-27 21:54:05 +00:00
For example, if you want to run all tasks as `` root `` on a server named `` webserver `` , but you can only connect as the `` manager `` user, you could use an inventory entry like this::
2017-12-07 10:27:43 +00:00
webserver ansible_user=manager ansible_become=yes
2014-11-24 21:36:31 +00:00
2017-02-08 16:50:59 +00:00
Command line options
--------------------
2014-11-24 21:36:31 +00:00
2016-02-05 01:35:12 +00:00
--ask-become-pass, -K
2017-12-07 10:27:43 +00:00
ask for privilege escalation password; does not imply become will be used. Note that this password will be used for all hosts.
2014-11-24 21:36:31 +00:00
2016-02-05 01:35:12 +00:00
--become, -b
2015-04-16 16:30:54 +00:00
run operations with become (no password implied)
2014-11-24 21:36:31 +00:00
--become-method=BECOME_METHOD
privilege escalation method to use (default=sudo),
2018-05-25 15:52:53 +00:00
valid choices: [ sudo | su | pbrun | pfexec | doas | dzdo | ksu | runas | machinectl ]
2014-11-24 21:36:31 +00:00
--become-user=BECOME_USER
2016-02-24 15:58:40 +00:00
run operations as this user (default=root), does not imply --become/-b
2014-11-24 21:36:31 +00:00
2016-02-05 01:35:12 +00:00
For those from Pre 1.9 , sudo and su still work!
------------------------------------------------
2014-11-24 21:36:31 +00:00
2016-02-05 01:35:12 +00:00
For those using old playbooks will not need to be changed, even though they are deprecated, sudo and su directives, variables and options
will continue to work. It is recommended to move to become as they may be retired at one point.
2016-02-28 21:19:20 +00:00
You cannot mix directives on the same object (become and sudo) though, Ansible will complain if you try to.
2014-11-24 21:36:31 +00:00
2016-02-05 01:35:12 +00:00
Become will default to using the old sudo/su configs and variables if they exist, but will override them if you specify any of the new ones.
2014-11-24 21:36:31 +00:00
2016-03-16 17:58:16 +00:00
Limitations
-----------
Although privilege escalation is mostly intuitive, there are a few limitations
on how it works. Users should be aware of these to avoid surprises.
Becoming an Unprivileged User
2017-12-07 10:27:43 +00:00
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2016-03-16 17:58:16 +00:00
2016-03-21 21:17:53 +00:00
Ansible 2.0.x and below has a limitation with regards to becoming an
2016-03-16 17:58:16 +00:00
unprivileged user that can be a security risk if users are not aware of it.
Ansible modules are executed on the remote machine by first substituting the
parameters into the module file, then copying the file to the remote machine,
2016-03-21 21:17:53 +00:00
and finally executing it there.
2016-03-16 17:58:16 +00:00
2016-03-21 21:17:53 +00:00
Everything is fine if the module file is executed without using `` become `` ,
when the `` become_user `` is root, or when the connection to the remote machine
is made as root. In these cases the module file is created with permissions
that only allow reading by the user and root.
The problem occurs when the `` become_user `` is an unprivileged user. Ansible
2016-04-29 13:51:04 +00:00
2.0.x and below make the module file world readable in this case, as the module
file is written as the user that Ansible connects as, but the file needs to
2016-04-27 01:16:41 +00:00
be readable by the user Ansible is set to `` become `` .
2016-03-21 21:17:53 +00:00
.. note :: In Ansible 2.1, this window is further narrowed: If the connection
2016-04-29 13:51:04 +00:00
is made as a privileged user (root), then Ansible 2.1 and above will use
2016-03-21 21:17:53 +00:00
chown to set the file's owner to the unprivileged user being switched to.
This means both the user making the connection and the user being switched
to via `` become `` must be unprivileged in order to trigger this problem.
2016-03-16 17:58:16 +00:00
2016-04-29 13:51:04 +00:00
If any of the parameters passed to the module are sensitive in nature, then
2016-03-21 21:17:53 +00:00
those pieces of data are located in a world readable module file for the
2016-04-29 13:51:04 +00:00
duration of the Ansible module execution. Once the module is done executing,
2016-03-21 21:17:53 +00:00
Ansible will delete the temporary file. If you trust the client machines then
there's no problem here. If you do not trust the client machines then this is
2016-03-16 17:58:16 +00:00
a potential danger.
Ways to resolve this include:
2018-03-14 19:44:21 +00:00
* Use `pipelining` . When pipelining is enabled, Ansible doesn't save the
2016-03-16 17:58:16 +00:00
module to a temporary file on the client. Instead it pipes the module to
2018-03-23 12:02:19 +00:00
the remote python interpreter's stdin. Pipelining does not work for
2018-04-18 15:29:28 +00:00
python modules involving file transfer (for example: :ref: `copy <copy_module>` ,
:ref: `fetch <fetch_module>` , :ref: `template <template_module>` ), or for non-python modules.
2016-03-16 17:58:16 +00:00
2016-06-17 17:01:11 +00:00
* (Available in Ansible 2.1) Install POSIX.1e filesystem acl support on the
managed host. If the temporary directory on the remote host is mounted with
POSIX acls enabled and the :command: `setfacl` tool is in the remote `` PATH ``
then Ansible will use POSIX acls to share the module file with the second
unprivileged user instead of having to make the file readable by everyone.
2016-03-21 21:17:53 +00:00
2016-03-16 17:58:16 +00:00
* Don't perform an action on the remote machine by becoming an unprivileged
user. Temporary files are protected by UNIX file permissions when you
2016-03-21 21:17:53 +00:00
`` become `` root or do not use `` become `` . In Ansible 2.1 and above, UNIX
file permissions are also secure if you make the connection to the managed
machine as root and then use `` become `` to an unprivileged account.
2016-12-22 17:26:28 +00:00
.. warning :: Although the Solaris ZFS filesystem has filesystem ACLs, the ACLs
2016-06-17 17:01:11 +00:00
are not POSIX.1e filesystem acls (they are NFSv4 ACLs instead). Ansible
cannot use these ACLs to manage its temp file permissions so you may have
to resort to `` allow_world_readable_tmpfiles `` if the remote machines use ZFS.
2016-03-21 21:17:53 +00:00
.. versionchanged :: 2.1
In addition to the additional means of doing this securely, Ansible 2.1 also
makes it harder to unknowingly do this insecurely. Whereas in Ansible 2.0.x
and below, Ansible will silently allow the insecure behaviour if it was unable
to find another way to share the files with the unprivileged user, in Ansible
2.1 and above Ansible defaults to issuing an error if it can't do this
2016-04-29 13:51:04 +00:00
securely. If you can't make any of the changes above to resolve the problem,
2016-03-21 21:17:53 +00:00
and you decide that the machine you're running on is secure enough for the
2016-04-29 13:51:04 +00:00
modules you want to run there to be world readable, you can turn on
2016-03-21 21:17:53 +00:00
`` allow_world_readable_tmpfiles `` in the :file: `ansible.cfg` file. Setting
`` allow_world_readable_tmpfiles `` will change this from an error into
a warning and allow the task to run as it did prior to 2.1.
2016-03-16 17:58:16 +00:00
Connection Plugin Support
2017-12-07 10:27:43 +00:00
^^^^^^^^^^^^^^^^^^^^^^^^^
2016-03-16 17:58:16 +00:00
Privilege escalation methods must also be supported by the connection plugin
used. Most connection plugins will warn if they do not support become. Some
will just ignore it as they always run as root (jail, chroot, etc).
Only one method may be enabled per host
2017-12-07 10:27:43 +00:00
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2016-03-16 17:58:16 +00:00
Methods cannot be chained. You cannot use `` sudo /bin/su - `` to become a user,
you need to have privileges to run the command as that user in sudo or be able
to su directly to it (the same for pbrun, pfexec or other supported methods).
Can't limit escalation to certain commands
2017-12-07 10:27:43 +00:00
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2014-11-24 21:36:31 +00:00
2016-03-16 17:58:16 +00:00
Privilege escalation permissions have to be general. Ansible does not always
use a specific command to do something but runs modules (code) from
a temporary file name which changes every time. If you have '/sbin/service'
or '/bin/chmod' as the allowed commands this will fail with ansible as those
paths won't match with the temporary file that ansible creates to run the
module.
2015-04-21 19:32:35 +00:00
2018-05-25 15:52:53 +00:00
Environment variables populated by pam_systemd
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
For most Linux distributions using `` systemd `` as their init, the default
methods used by `` become `` do not open a new "session", in the sense of
systemd. Because the `` pam_systemd `` module will not fully initialize a new
session, you might have surprises compared to a normal session opened through
ssh: some environment variables set by `` pam_systemd `` , most notably
`` XDG_RUNTIME_DIR `` , are not populated for the new user and instead inherited
or just emptied.
This might cause trouble when trying to invoke systemd commands that depend on
`` XDG_RUNTIME_DIR `` to access the bus:
.. code-block :: console
$ echo $XDG_RUNTIME_DIR
$ systemctl --user status
Failed to connect to bus: Permission denied
To force `` become `` to open a new systemd session that goes through
`` pam_systemd `` , you can use `` become_method: machinectl `` .
For more information, see `this systemd issue
<https://github.com/systemd/systemd/issues/825#issuecomment-127917622> `_.
2018-12-17 16:20:06 +00:00
.. _become_network:
2017-12-07 10:27:43 +00:00
Become and Networks
===================
2018-05-17 22:47:15 +00:00
As of version 2.6, Ansible supports `` become `` for privilege escalation (entering `` enable `` mode or privileged EXEC mode) on all :ref: `Ansible-maintained platforms<network_supported>` that support `` enable `` mode: `eos` `, ` `ios` `, and ` `nxos` `. Using ` `become` ` replaces the ` `authorize` ` and ` `auth_pass` ` options in a ` `provider` ` dictionary.
2017-12-07 10:27:43 +00:00
2018-05-17 22:47:15 +00:00
You must set the connection type to either `` connection: network_cli `` or `` connection: httpapi `` to use `` become `` for privilege escalation on network devices. Check the :ref: `platform_options` and :ref: `network_modules` documentation for details.
2017-12-07 10:27:43 +00:00
2018-05-17 22:47:15 +00:00
You can use escalated privileges on only the specific tasks that need them, on an entire play, or on all plays. Adding `` become: yes `` and `` become_method: enable `` instructs Ansible to enter `` enable `` mode before executing the task, play, or playbook where those parameters are set.
2017-12-07 10:27:43 +00:00
2018-05-15 19:04:24 +00:00
If you see this error message, the task that generated it requires `` enable `` mode to succeed:
2017-12-07 10:27:43 +00:00
.. code-block :: console
Invalid input (privileged mode required)
2018-05-15 19:04:24 +00:00
To set `` enable `` mode for a specific task, add `` become `` at the task level:
2017-12-07 10:27:43 +00:00
.. code-block :: yaml
- name: Gather facts (eos)
eos_facts:
gather_subset:
- "!hardware"
become: yes
become_method: enable
2018-05-15 19:04:24 +00:00
To set enable mode for all tasks in a single play, add `` become `` at the play level:
2017-12-07 10:27:43 +00:00
.. code-block :: yaml
- hosts: eos-switches
become: yes
become_method: enable
tasks:
- name: Gather facts (eos)
eos_facts:
gather_subset:
- "!hardware"
Setting enable mode for all tasks
---------------------------------
2018-05-15 19:04:24 +00:00
Often you wish for all tasks in all plays to run using privilege mode, that is best achieved by using `` group_vars `` :
2017-12-07 10:27:43 +00:00
**group_vars/eos.yml**
.. code-block :: yaml
ansible_connection: network_cli
ansible_network_os: eos
ansible_user: myuser
ansible_become: yes
ansible_become_method: enable
Passwords for enable mode
^^^^^^^^^^^^^^^^^^^^^^^^^
2018-05-15 19:04:24 +00:00
If you need a password to enter `` enable `` mode, you can specify it in one of two ways:
2017-12-07 10:27:43 +00:00
* providing the :option: `--ask-become-pass <ansible-playbook --ask-become-pass>` command line option
* setting the `` ansible_become_pass `` connection variable
.. warning ::
2018-05-15 19:04:24 +00:00
As a reminder passwords should never be stored in plain text. For information on encrypting your passwords and other secrets with Ansible Vault, see :doc: `playbooks_vault` .
2017-12-07 10:27:43 +00:00
authorize and auth_pass
-----------------------
2018-05-17 22:47:15 +00:00
Ansible still supports `` enable `` mode with `` connection: local `` for legacy playbooks. To enter `` enable `` mode with `` connection: local `` , use the module options `` authorize `` and `` auth_pass `` :
2017-12-07 10:27:43 +00:00
.. code-block :: yaml
- hosts: eos-switches
ansible_connection: local
tasks:
- name: Gather facts (eos)
eos_facts:
gather_subset:
- "!hardware"
provider:
authorize: yes
auth_pass: " {{ secret_auth_pass }}"
2018-05-17 22:47:15 +00:00
We recommend updating your playbooks to use `` become `` for network-device `` enable `` mode consistently. The use of `` authorize `` and of `` provider `` dictionaries will be deprecated in future. Check the :ref: `platform_options` and :ref: `network_modules` documentation for details.
2017-12-07 10:27:43 +00:00
2018-12-17 16:20:06 +00:00
.. _become_windows:
2017-12-07 10:27:43 +00:00
2017-10-13 01:40:47 +00:00
Become and Windows
2017-12-07 10:27:43 +00:00
==================
2017-10-13 01:40:47 +00:00
Since Ansible 2.3, `` become `` can be used on Windows hosts through the
`` runas `` method. Become on Windows uses the same inventory setup and
invocation arguments as `` become `` on a non-Windows host, so the setup and
variable names are the same as what is defined in this document.
While `` become `` can be used to assume the identity of another user, there are other uses for
it with Windows hosts. One important use is to bypass some of the
limitations that are imposed when running on WinRM, such as constrained network
delegation or accessing forbidden system calls like the WUA API. You can use
`` become `` with the same user as `` ansible_user `` to bypass these limitations
and run commands that are not normally accessible in a WinRM session.
Administrative Rights
---------------------
Many tasks in Windows require administrative privileges to complete. When using
2017-11-09 00:02:33 +00:00
the `` runas `` become method, Ansible will attempt to run the module with the
full privileges that are available to the remote user. If it fails to elevate
the user token, it will continue to use the limited token during execution.
2017-10-13 01:40:47 +00:00
2018-11-29 22:17:59 +00:00
A user must have the `` SeDebugPrivilege `` to run a become process with elevated
privileges. This privilege is assigned to Administrators by default. If the
2018-12-07 22:54:32 +00:00
debug privilege is not available, the become process will run with a limited
2018-11-29 22:17:59 +00:00
set of privileges and groups.
2017-11-09 00:02:33 +00:00
To determine the type of token that Ansible was able to get, run the following
2018-11-29 22:17:59 +00:00
task::
2017-11-09 00:02:33 +00:00
2018-05-14 23:33:36 +00:00
- win_whoami:
2017-11-09 00:02:33 +00:00
become: yes
2018-11-29 22:17:59 +00:00
The output will look something similar to the below::
ok: [windows] => {
"account": {
"account_name": "vagrant-domain",
"domain_name": "DOMAIN",
"sid": "S-1-5-21-3088887838-4058132883-1884671576-1105",
"type": "User"
},
"authentication_package": "Kerberos",
"changed": false,
"dns_domain_name": "DOMAIN.LOCAL",
"groups": [
{
"account_name": "Administrators",
"attributes": [
"Mandatory",
"Enabled by default",
"Enabled",
"Owner"
],
"domain_name": "BUILTIN",
"sid": "S-1-5-32-544",
"type": "Alias"
},
{
"account_name": "INTERACTIVE",
"attributes": [
"Mandatory",
"Enabled by default",
"Enabled"
],
"domain_name": "NT AUTHORITY",
"sid": "S-1-5-4",
"type": "WellKnownGroup"
},
],
"impersonation_level": "SecurityAnonymous",
"label": {
"account_name": "High Mandatory Level",
"domain_name": "Mandatory Label",
"sid": "S-1-16-12288",
"type": "Label"
},
"login_domain": "DOMAIN",
"login_time": "2018-11-18T20:35:01.9696884+00:00",
"logon_id": 114196830,
"logon_server": "DC01",
"logon_type": "Interactive",
"privileges": {
"SeBackupPrivilege": "disabled",
"SeChangeNotifyPrivilege": "enabled-by-default",
"SeCreateGlobalPrivilege": "enabled-by-default",
"SeCreatePagefilePrivilege": "disabled",
"SeCreateSymbolicLinkPrivilege": "disabled",
"SeDebugPrivilege": "enabled",
"SeDelegateSessionUserImpersonatePrivilege": "disabled",
"SeImpersonatePrivilege": "enabled-by-default",
"SeIncreaseBasePriorityPrivilege": "disabled",
"SeIncreaseQuotaPrivilege": "disabled",
"SeIncreaseWorkingSetPrivilege": "disabled",
"SeLoadDriverPrivilege": "disabled",
"SeManageVolumePrivilege": "disabled",
"SeProfileSingleProcessPrivilege": "disabled",
"SeRemoteShutdownPrivilege": "disabled",
"SeRestorePrivilege": "disabled",
"SeSecurityPrivilege": "disabled",
"SeShutdownPrivilege": "disabled",
"SeSystemEnvironmentPrivilege": "disabled",
"SeSystemProfilePrivilege": "disabled",
"SeSystemtimePrivilege": "disabled",
"SeTakeOwnershipPrivilege": "disabled",
"SeTimeZonePrivilege": "disabled",
"SeUndockPrivilege": "disabled"
},
"rights": [
"SeNetworkLogonRight",
"SeBatchLogonRight",
"SeInteractiveLogonRight",
"SeRemoteInteractiveLogonRight"
],
"token_type": "TokenPrimary",
"upn": "vagrant-domain@DOMAIN.LOCAL",
"user_flags": []
}
Under the `` label `` key, the `` account_name `` entry determines whether the user
has Administrative rights. Here are the labels that can be returned and what
they represent:
2017-11-09 00:02:33 +00:00
* `` Medium `` : Ansible failed to get an elevated token and ran under a limited
token. Only a subset of the privileges assigned to user are available during
the module execution and the user does not have administrative rights.
* `` High `` : An elevated token was used and all the privileges assigned to the
user are available during the module execution.
* `` System `` : The `` NT AUTHORITY\System `` account is used and has the highest
level of privileges available.
The output will also show the list of privileges that have been granted to the
2018-11-29 22:17:59 +00:00
user. When the privilege value is `` disabled `` , the privilege is assigned to
the logon token but has not been enabled. In most scenarios these privileges
are automatically enabled when required.
2017-11-09 00:02:33 +00:00
If running on a version of Ansible that is older than 2.5 or the normal
`` runas `` escalation process fails, an elevated token can be retrieved by:
2017-10-13 01:40:47 +00:00
* Set the `` become_user `` to `` System `` which has full control over the
operating system.
* Grant `` SeTcbPrivilege `` to the user Ansible connects with on
WinRM. `` SeTcbPrivilege `` is a high-level privilege that grants
full control over the operating system. No user is given this privilege by
2017-12-07 10:27:43 +00:00
default, and care should be taken if you grant this privilege to a user or group.
2017-10-13 01:40:47 +00:00
For more information on this privilege, please see
2018-08-13 19:54:14 +00:00
`Act as part of the operating system <https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn221957(v=ws.11)> `_ .
2017-10-13 01:40:47 +00:00
You can use the below task to set this privilege on a Windows host::
- name: grant the ansible user the SeTcbPrivilege right
win_user_right:
name: SeTcbPrivilege
users: '{{ansible_user}}'
action: add
* Turn UAC off on the host and reboot before trying to become the user. UAC is
a security protocol that is designed to run accounts with the
`` least privilege `` principle. You can turn UAC off by running the following
tasks::
- name: turn UAC off
win_regedit:
path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
name: EnableLUA
data: 0
type: dword
state: present
register: uac_result
2017-12-07 10:27:43 +00:00
2017-10-13 01:40:47 +00:00
- name: reboot after disabling UAC
win_reboot:
2017-11-27 22:58:08 +00:00
when: uac_result is changed
2017-10-13 01:40:47 +00:00
2017-11-09 00:02:33 +00:00
.. Note :: Granting the `` SeTcbPrivilege `` or turning UAC off can cause Windows
security vulnerabilities and care should be given if these steps are taken.
2017-10-13 01:40:47 +00:00
Local Service Accounts
----------------------
Prior to Ansible version 2.5, `` become `` only worked with a local or domain
user account. Local service accounts like `` System `` or `` NetworkService ``
could not be used as `` become_user `` in these older versions. This restriction
has been lifted since the 2.5 release of Ansible. The three service accounts
that can be set under `` become_user `` are:
* System
* NetworkService
* LocalService
Because local service accounts do not have passwords, the
`` ansible_become_password `` parameter is not required and is ignored if
specified.
2018-12-13 01:15:25 +00:00
Become without setting a Password
---------------------------------
As of Ansible 2.8, `` become `` can be used to become a local or domain account
without requiring a password for that account. For this method to work, the
following requirements must be met:
* The connection user has the `` SeDebugPrivilege `` privilege assigned
* The connection user is part of the `` BUILTIN\Administrators `` group
* The `` become_user `` has either the `` SeBatchLogonRight `` or `` SeNetworkLogonRight `` user right
Using become without a password is achieved in one of two different methods:
* Duplicating an existing logon session's token if the account is already logged on
* Using S4U to generate a logon token that is valid on the remote host only
In the first scenario, the become process is spawned from another logon of that
user account. This could be an existing RDP logon, console logon, but this is
not guaranteed to occur all the time. This is similar to the
`` Run only when user is logged on `` option for a Scheduled Task.
In the case where another logon of the become account does not exist, S4U is
used to create a new logon and run the module through that. This is similar to
the `` Run whether user is logged on or not `` with the `` Do not store password ``
option for a Scheduled Task. In this scenario, the become process will not be
able to access any network resources like a normal WinRM process.
To make a distinction between using become with no password and becoming an
account that has no password make sure to keep `` ansible_become_pass `` as
undefined or set `` ansible_become_pass: `` .
.. Note :: Because there are no guarantees an existing token will exist for a
user when Ansible runs, there's a high change the become process will only
have access to local resources. Use become with a password if the task needs
to access network resources
2018-01-04 20:00:08 +00:00
Accounts without a Password
---------------------------
.. Warning :: As a general security best practice, you should avoid allowing accounts without passwords.
Ansible can be used to become an account that does not have a password (like the
`` Guest `` account). To become an account without a password, set up the
2018-12-13 01:15:25 +00:00
variables like normal but set `` ansible_become_pass: '' `` .
2018-01-04 20:00:08 +00:00
Before become can work on an account like this, the local policy
2018-08-13 19:54:14 +00:00
`Accounts: Limit local account use of blank passwords to console logon only <https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852174(v=ws.11)> `_
2018-01-04 20:00:08 +00:00
must be disabled. This can either be done through a Group Policy Object (GPO)
or with this Ansible task:
.. code-block :: yaml
- name: allow blank password on become
win_regedit:
path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa
name: LimitBlankPasswordUse
data: 0
type: dword
state: present
.. Note :: This is only for accounts that do not have a password. You still need
to set the account's password under `` ansible_become_pass `` if the
become_user has a password.
2018-01-19 21:58:10 +00:00
Become Flags
------------
2018-05-14 23:33:36 +00:00
Ansible 2.5 adds the `` become_flags `` parameter to the `` runas `` become method.
This parameter can be set using the `` become_flags `` task directive or set in
Ansible's configuration using `` ansible_become_flags `` . The two valid values
that are initially supported for this parameter are `` logon_type `` and
`` logon_flags `` .
2018-01-19 21:58:10 +00:00
.. Note :: These flags should only be set when becoming a normal user account, not a local service account like LocalSystem.
The key `` logon_type `` sets the type of logon operation to perform. The value
can be set to one of the following:
* `` interactive `` : The default logon type. The process will be run under a
context that is the same as when running a process locally. This bypasses all
WinRM restrictions and is the recommended method to use.
* `` batch `` : Runs the process under a batch context that is similar to a
scheduled task with a password set. This should bypass most WinRM
restrictions and is useful if the `` become_user `` is not allowed to log on
interactively.
* `` new_credentials `` : Runs under the same credentials as the calling user, but
outbound connections are run under the context of the `` become_user `` and
`` become_password `` , similar to `` runas.exe /netonly `` . The `` logon_flags ``
flag should also be set to `` netcredentials_only `` . Use this flag if
the process needs to access a network resource (like an SMB share) using a
different set of credentials.
* `` network `` : Runs the process under a network context without any cached
credentials. This results in the same type of logon session as running a
normal WinRM process without credential delegation, and operates under the same
restrictions.
* `` network_cleartext `` : Like the `` network `` logon type, but instead caches
the credentials so it can access network resources. This is the same type of
logon session as running a normal WinRM process with credential delegation.
For more information, see
2018-08-13 19:54:14 +00:00
`dwLogonType <https://docs.microsoft.com/en-gb/windows/desktop/api/winbase/nf-winbase-logonusera> `_ .
2018-01-19 21:58:10 +00:00
The `` logon_flags `` key specifies how Windows will log the user on when creating
2018-05-14 23:33:36 +00:00
the new process. The value can be set to none or multiple of the following:
2018-01-19 21:58:10 +00:00
* `` with_profile `` : The default logon flag set. The process will load the
user's profile in the `` HKEY_USERS `` registry key to `` HKEY_CURRENT_USER `` .
* `` netcredentials_only `` : The process will use the same token as the caller
but will use the `` become_user `` and `` become_password `` when accessing a remote
resource. This is useful in inter-domain scenarios where there is no trust
relationship, and should be used with the `` new_credentials `` `` logon_type `` .
2018-05-14 23:33:36 +00:00
By default `` logon_flags=with_profile `` is set, if the profile should not be
loaded set `` logon_flags= `` or if the profile should be loaded with
`` netcredentials_only `` , set `` logon_flags=with_profile,netcredentials_only `` .
2018-08-13 19:54:14 +00:00
For more information, see `dwLogonFlags <https://docs.microsoft.com/en-gb/windows/desktop/api/winbase/nf-winbase-createprocesswithtokenw> `_ .
2018-01-19 21:58:10 +00:00
Here are some examples of how to use `` become_flags `` with Windows tasks:
.. code-block :: yaml
- name: copy a file from a fileshare with custom credentials
win_copy:
src: \\server\share\data\file.txt
dest: C:\temp\file.txt
remote_src: yex
vars:
ansible_become: yes
ansible_become_method: runas
ansible_become_user: DOMAIN\user
ansible_become_pass: Password01
ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only
- name: run a command under a batch logon
2018-05-14 23:33:36 +00:00
win_whoami:
2018-01-19 21:58:10 +00:00
become: yes
become_flags: logon_type=batch
2018-05-14 23:33:36 +00:00
- name: run a command and not load the user profile
win_whomai:
become: yes
become_flags: logon_flags=
2018-01-19 21:58:10 +00:00
2017-10-13 01:40:47 +00:00
Limitations
-----------
Be aware of the following limitations with `` become `` on Windows:
2017-11-09 00:02:33 +00:00
* Running a task with `` async `` and `` become `` on Windows Server 2008, 2008 R2
2018-06-26 04:40:49 +00:00
and Windows 7 only works when using Ansible 2.7 or newer.
2017-10-13 01:40:47 +00:00
2018-01-19 21:58:10 +00:00
* By default, the become user logs on with an interactive session, so it must
have the right to do so on the Windows host. If it does not inherit the
2017-10-13 01:40:47 +00:00
`` SeAllowLogOnLocally `` privilege or inherits the `` SeDenyLogOnLocally ``
2018-05-14 23:33:36 +00:00
privilege, the become process will fail. Either add the privilege or set the
`` logon_type `` flag to change the logon type used.
2017-10-13 01:40:47 +00:00
2017-11-09 00:02:33 +00:00
* Prior to Ansible version 2.3, become only worked when
`` ansible_winrm_transport `` was either `` basic `` or `` credssp `` . This
restriction has been lifted since the 2.4 release of Ansible for all hosts
except Windows Server 2008 (non R2 version).
2015-04-21 19:32:35 +00:00
2014-11-24 21:36:31 +00:00
.. seealso ::
2017-11-29 19:48:33 +00:00
`Mailing List <https://groups.google.com/forum/#!forum/ansible-project> `_
2014-11-24 21:36:31 +00:00
Questions? Help? Ideas? Stop by the list on Google Groups
2017-11-29 19:48:33 +00:00
`webchat.freenode.net <https://webchat.freenode.net> `_
2014-11-24 21:36:31 +00:00
#ansible IRC chat channel