mirror of https://github.com/ansible/ansible.git
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
550 lines
23 KiB
ReStructuredText
550 lines
23 KiB
ReStructuredText
![]()
6 years ago
|
**********************************
|
||
|
Understanding Privilege Escalation
|
||
|
**********************************
|
||
![]()
10 years ago
|
|
||
|
Ansible can use existing privilege escalation systems to allow a user to execute tasks as another.
|
||
|
|
||
|
.. contents:: Topics
|
||
|
|
||
|
Become
|
||
![]()
7 years ago
|
======
|
||
|
|
||
![]()
7 years ago
|
Ansible allows you to 'become' another user, different from the user that logged into the machine (remote user). This is done using existing privilege escalation tools such as `sudo`, `su`, `pfexec`, `doas`, `pbrun`, `dzdo`, `ksu`, `runas` and others.
|
||
![]()
10 years ago
|
|
||
|
|
||
![]()
7 years ago
|
.. note:: Prior to version 1.9, Ansible mostly allowed the use of `sudo` and a limited use of `su` to allow a login/remote user to become a different user and execute tasks and create resources with the second user's permissions. As of Ansible version 1.9, `become` supersedes the old sudo/su, while still being backwards compatible. This new implementation also makes it easier to add other privilege escalation tools, including `pbrun` (Powerbroker), `pfexec`, `dzdo` (Centrify), and others.
|
||
![]()
9 years ago
|
|
||
![]()
7 years ago
|
.. note:: Become vars and directives are independent. For example, setting ``become_user`` does not set ``become``.
|
||
![]()
8 years ago
|
|
||
![]()
9 years ago
|
|
||
|
Directives
|
||
![]()
7 years ago
|
==========
|
||
|
|
||
![]()
8 years ago
|
These can be set from play to task level, but are overridden by connection variables as they can be host specific.
|
||
![]()
10 years ago
|
|
||
|
become
|
||
![]()
7 years ago
|
set to ``yes`` to activate privilege escalation.
|
||
![]()
10 years ago
|
|
||
|
become_user
|
||
![]()
7 years ago
|
set to user with desired privileges — the user you `become`, NOT the user you login as. Does NOT imply ``become: yes``, to allow it to be set at host level.
|
||
![]()
10 years ago
|
|
||
|
become_method
|
||
![]()
7 years ago
|
(at play or task level) overrides the default method set in ansible.cfg, set to `sudo`/`su`/`pbrun`/`pfexec`/`doas`/`dzdo`/`ksu`/`runas`
|
||
![]()
10 years ago
|
|
||
![]()
8 years ago
|
become_flags
|
||
![]()
7 years ago
|
(at play or task level) permit the use of specific flags for the tasks or role. One common use is to change the user to nobody when the shell is set to no login. Added in Ansible 2.2.
|
||
![]()
8 years ago
|
|
||
![]()
8 years ago
|
For example, to manage a system service (which requires ``root`` privileges) when connected as a non-``root`` user (this takes advantage of the fact that the default value of ``become_user`` is ``root``)::
|
||
|
|
||
|
- name: Ensure the httpd service is running
|
||
|
service:
|
||
|
name: httpd
|
||
![]()
8 years ago
|
state: started
|
||
![]()
7 years ago
|
become: yes
|
||
![]()
8 years ago
|
|
||
|
To run a command as the ``apache`` user::
|
||
|
|
||
![]()
8 years ago
|
- name: Run a command as the apache user
|
||
![]()
8 years ago
|
command: somecommand
|
||
![]()
7 years ago
|
become: yes
|
||
![]()
8 years ago
|
become_user: apache
|
||
![]()
10 years ago
|
|
||
![]()
8 years ago
|
To do something as the ``nobody`` user when the shell is nologin::
|
||
|
|
||
|
- name: Run a command as nobody
|
||
|
command: somecommand
|
||
![]()
7 years ago
|
become: yes
|
||
![]()
8 years ago
|
become_method: su
|
||
|
become_user: nobody
|
||
|
become_flags: '-s /bin/sh'
|
||
|
|
||
![]()
9 years ago
|
Connection variables
|
||
|
--------------------
|
||
|
Each allows you to set an option per group and/or host, these are normally defined in inventory but can be used as normal variables.
|
||
![]()
10 years ago
|
|
||
|
ansible_become
|
||
![]()
9 years ago
|
equivalent of the become directive, decides if privilege escalation is used or not.
|
||
![]()
10 years ago
|
|
||
|
ansible_become_method
|
||
![]()
7 years ago
|
which privilege escalation method should be used
|
||
![]()
10 years ago
|
|
||
|
ansible_become_user
|
||
![]()
7 years ago
|
set the user you become through privilege escalation; does not imply ``ansible_become: yes``
|
||
![]()
10 years ago
|
|
||
|
ansible_become_pass
|
||
![]()
7 years ago
|
set the privilege escalation password. See :doc:`playbooks_vault` for details on how to avoid having secrets in plain text
|
||
![]()
10 years ago
|
|
||
![]()
8 years ago
|
For example, if you want to run all tasks as ``root`` on a server named ``webserver``, but you can only connect as the ``manager`` user, you could use an inventory entry like this::
|
||
|
|
||
![]()
7 years ago
|
webserver ansible_user=manager ansible_become=yes
|
||
![]()
10 years ago
|
|
||
![]()
8 years ago
|
Command line options
|
||
|
--------------------
|
||
![]()
10 years ago
|
|
||
![]()
9 years ago
|
--ask-become-pass, -K
|
||
![]()
7 years ago
|
ask for privilege escalation password; does not imply become will be used. Note that this password will be used for all hosts.
|
||
![]()
10 years ago
|
|
||
![]()
9 years ago
|
--become, -b
|
||
![]()
9 years ago
|
run operations with become (no password implied)
|
||
![]()
10 years ago
|
|
||
|
--become-method=BECOME_METHOD
|
||
|
privilege escalation method to use (default=sudo),
|
||
![]()
7 years ago
|
valid choices: [ sudo | su | pbrun | pfexec | doas | dzdo | ksu | runas ]
|
||
![]()
10 years ago
|
|
||
|
--become-user=BECOME_USER
|
||
![]()
8 years ago
|
run operations as this user (default=root), does not imply --become/-b
|
||
![]()
10 years ago
|
|
||
|
|
||
![]()
9 years ago
|
For those from Pre 1.9 , sudo and su still work!
|
||
|
------------------------------------------------
|
||
![]()
10 years ago
|
|
||
![]()
9 years ago
|
For those using old playbooks will not need to be changed, even though they are deprecated, sudo and su directives, variables and options
|
||
|
will continue to work. It is recommended to move to become as they may be retired at one point.
|
||
![]()
8 years ago
|
You cannot mix directives on the same object (become and sudo) though, Ansible will complain if you try to.
|
||
![]()
10 years ago
|
|
||
![]()
9 years ago
|
Become will default to using the old sudo/su configs and variables if they exist, but will override them if you specify any of the new ones.
|
||
![]()
10 years ago
|
|
||
|
|
||
![]()
8 years ago
|
Limitations
|
||
|
-----------
|
||
|
|
||
|
Although privilege escalation is mostly intuitive, there are a few limitations
|
||
|
on how it works. Users should be aware of these to avoid surprises.
|
||
|
|
||
|
Becoming an Unprivileged User
|
||
![]()
7 years ago
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||
![]()
8 years ago
|
|
||
![]()
8 years ago
|
Ansible 2.0.x and below has a limitation with regards to becoming an
|
||
![]()
8 years ago
|
unprivileged user that can be a security risk if users are not aware of it.
|
||
|
Ansible modules are executed on the remote machine by first substituting the
|
||
|
parameters into the module file, then copying the file to the remote machine,
|
||
![]()
8 years ago
|
and finally executing it there.
|
||
![]()
8 years ago
|
|
||
![]()
8 years ago
|
Everything is fine if the module file is executed without using ``become``,
|
||
|
when the ``become_user`` is root, or when the connection to the remote machine
|
||
|
is made as root. In these cases the module file is created with permissions
|
||
|
that only allow reading by the user and root.
|
||
|
|
||
|
The problem occurs when the ``become_user`` is an unprivileged user. Ansible
|
||
![]()
8 years ago
|
2.0.x and below make the module file world readable in this case, as the module
|
||
|
file is written as the user that Ansible connects as, but the file needs to
|
||
![]()
8 years ago
|
be readable by the user Ansible is set to ``become``.
|
||
![]()
8 years ago
|
|
||
|
.. note:: In Ansible 2.1, this window is further narrowed: If the connection
|
||
![]()
8 years ago
|
is made as a privileged user (root), then Ansible 2.1 and above will use
|
||
![]()
8 years ago
|
chown to set the file's owner to the unprivileged user being switched to.
|
||
|
This means both the user making the connection and the user being switched
|
||
|
to via ``become`` must be unprivileged in order to trigger this problem.
|
||
![]()
8 years ago
|
|
||
![]()
8 years ago
|
If any of the parameters passed to the module are sensitive in nature, then
|
||
![]()
8 years ago
|
those pieces of data are located in a world readable module file for the
|
||
![]()
8 years ago
|
duration of the Ansible module execution. Once the module is done executing,
|
||
![]()
8 years ago
|
Ansible will delete the temporary file. If you trust the client machines then
|
||
|
there's no problem here. If you do not trust the client machines then this is
|
||
![]()
8 years ago
|
a potential danger.
|
||
|
|
||
|
Ways to resolve this include:
|
||
|
|
||
|
* Use :ref:`pipelining`. When pipelining is enabled, Ansible doesn't save the
|
||
|
module to a temporary file on the client. Instead it pipes the module to
|
||
|
the remote python interpreter's stdin. Pipelining does not work for
|
||
|
non-python modules.
|
||
|
|
||
![]()
8 years ago
|
* (Available in Ansible 2.1) Install POSIX.1e filesystem acl support on the
|
||
|
managed host. If the temporary directory on the remote host is mounted with
|
||
|
POSIX acls enabled and the :command:`setfacl` tool is in the remote ``PATH``
|
||
|
then Ansible will use POSIX acls to share the module file with the second
|
||
|
unprivileged user instead of having to make the file readable by everyone.
|
||
![]()
8 years ago
|
|
||
![]()
8 years ago
|
* Don't perform an action on the remote machine by becoming an unprivileged
|
||
|
user. Temporary files are protected by UNIX file permissions when you
|
||
![]()
8 years ago
|
``become`` root or do not use ``become``. In Ansible 2.1 and above, UNIX
|
||
|
file permissions are also secure if you make the connection to the managed
|
||
|
machine as root and then use ``become`` to an unprivileged account.
|
||
|
|
||
![]()
8 years ago
|
.. warning:: Although the Solaris ZFS filesystem has filesystem ACLs, the ACLs
|
||
![]()
8 years ago
|
are not POSIX.1e filesystem acls (they are NFSv4 ACLs instead). Ansible
|
||
|
cannot use these ACLs to manage its temp file permissions so you may have
|
||
|
to resort to ``allow_world_readable_tmpfiles`` if the remote machines use ZFS.
|
||
|
|
||
![]()
8 years ago
|
.. versionchanged:: 2.1
|
||
|
|
||
|
In addition to the additional means of doing this securely, Ansible 2.1 also
|
||
|
makes it harder to unknowingly do this insecurely. Whereas in Ansible 2.0.x
|
||
|
and below, Ansible will silently allow the insecure behaviour if it was unable
|
||
|
to find another way to share the files with the unprivileged user, in Ansible
|
||
|
2.1 and above Ansible defaults to issuing an error if it can't do this
|
||
![]()
8 years ago
|
securely. If you can't make any of the changes above to resolve the problem,
|
||
![]()
8 years ago
|
and you decide that the machine you're running on is secure enough for the
|
||
![]()
8 years ago
|
modules you want to run there to be world readable, you can turn on
|
||
![]()
8 years ago
|
``allow_world_readable_tmpfiles`` in the :file:`ansible.cfg` file. Setting
|
||
|
``allow_world_readable_tmpfiles`` will change this from an error into
|
||
|
a warning and allow the task to run as it did prior to 2.1.
|
||
![]()
8 years ago
|
|
||
|
Connection Plugin Support
|
||
![]()
7 years ago
|
^^^^^^^^^^^^^^^^^^^^^^^^^
|
||
![]()
8 years ago
|
|
||
|
Privilege escalation methods must also be supported by the connection plugin
|
||
|
used. Most connection plugins will warn if they do not support become. Some
|
||
|
will just ignore it as they always run as root (jail, chroot, etc).
|
||
|
|
||
|
Only one method may be enabled per host
|
||
![]()
7 years ago
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||
![]()
8 years ago
|
|
||
|
Methods cannot be chained. You cannot use ``sudo /bin/su -`` to become a user,
|
||
|
you need to have privileges to run the command as that user in sudo or be able
|
||
|
to su directly to it (the same for pbrun, pfexec or other supported methods).
|
||
|
|
||
|
Can't limit escalation to certain commands
|
||
![]()
7 years ago
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||
![]()
10 years ago
|
|
||
![]()
8 years ago
|
Privilege escalation permissions have to be general. Ansible does not always
|
||
|
use a specific command to do something but runs modules (code) from
|
||
|
a temporary file name which changes every time. If you have '/sbin/service'
|
||
|
or '/bin/chmod' as the allowed commands this will fail with ansible as those
|
||
|
paths won't match with the temporary file that ansible creates to run the
|
||
|
module.
|
||
![]()
9 years ago
|
|
||
![]()
7 years ago
|
.. _become-network:
|
||
|
|
||
|
Become and Networks
|
||
|
===================
|
||
|
|
||
|
|
||
|
network_cli and become
|
||
|
----------------------
|
||
|
|
||
|
Ansible 2.5 added support for ``become`` to be used to enter `enable` mode (Privileged EXEC mode) on network devices that support it. This replaces the previous ``authorize`` and ``auth_pass`` options in ``provider``.
|
||
|
|
||
|
This functionality requires the host connection type to be using ``connection: network_cli``. In Ansible 2.5 this is limited to ``eos`` and ``ios``.
|
||
|
|
||
|
This allows privileges to be raised for the specific tasks that need them. Adding ``become: yes`` and ``become_method: enable`` informs Ansible to go into privilege mode before executing the task.
|
||
|
|
||
|
If a task fails with the following then it's an indicator that `enable` mode is required:
|
||
|
|
||
|
.. code-block:: console
|
||
|
|
||
|
Invalid input (privileged mode required)
|
||
|
|
||
|
The following example shows how to set enable mode for a specific task:
|
||
|
|
||
|
.. code-block:: yaml
|
||
|
|
||
|
- name: Gather facts (eos)
|
||
|
eos_facts:
|
||
|
gather_subset:
|
||
|
- "!hardware"
|
||
|
become: yes
|
||
|
become_method: enable
|
||
|
|
||
|
The following example shows how to set enable mode for `all` tests in this play:
|
||
|
|
||
|
.. code-block:: yaml
|
||
|
|
||
|
- hosts: eos-switches
|
||
|
become: yes
|
||
|
become_method: enable
|
||
|
tasks:
|
||
|
- name: Gather facts (eos)
|
||
|
eos_facts:
|
||
|
gather_subset:
|
||
|
- "!hardware"
|
||
|
|
||
|
Setting enable mode for all tasks
|
||
|
---------------------------------
|
||
|
|
||
|
Often you wish for all tasks to run using privilege mode, that is best achieved by using ``group_vars``:
|
||
|
|
||
|
**group_vars/eos.yml**
|
||
|
|
||
|
.. code-block:: yaml
|
||
|
|
||
|
ansible_connection: network_cli
|
||
|
ansible_network_os: eos
|
||
|
ansible_user: myuser
|
||
|
ansible_become: yes
|
||
|
ansible_become_method: enable
|
||
|
|
||
|
|
||
|
Passwords for enable mode
|
||
|
^^^^^^^^^^^^^^^^^^^^^^^^^
|
||
|
|
||
|
If a password is required to enter enable mode this can be specified by doing one of the following:
|
||
|
|
||
|
* providing the :option:`--ask-become-pass <ansible-playbook --ask-become-pass>` command line option
|
||
|
* setting the ``ansible_become_pass`` connection variable
|
||
|
|
||
|
.. warning::
|
||
|
|
||
|
As a reminder passwords should never be stored in plain text. See how encrypt secrets in vault :doc:`playbooks_vault` for more information.
|
||
|
|
||
|
For more information about ``network_cli`` see :ref:`network-cli`.
|
||
|
|
||
![]()
7 years ago
|
.. _become-network-auth-and-auth-password:
|
||
![]()
7 years ago
|
|
||
|
authorize and auth_pass
|
||
|
-----------------------
|
||
|
|
||
|
For network platforms that do not currently support ``connection: network_cli`` then the module options ``authorize`` and ``auth_pass`` can be used.
|
||
|
|
||
|
.. code-block:: yaml
|
||
|
|
||
|
- hosts: eos-switches
|
||
|
ansible_connection: local
|
||
|
tasks:
|
||
|
- name: Gather facts (eos)
|
||
|
eos_facts:
|
||
|
gather_subset:
|
||
|
- "!hardware"
|
||
|
provider:
|
||
|
authorize: yes
|
||
|
auth_pass: " {{ secret_auth_pass }}"
|
||
|
|
||
|
Note that over time more platforms will move to support ``become``. Check the :doc:`list_of_network_modules` for details.
|
||
|
|
||
|
.. _become-windows:
|
||
|
|
||
![]()
7 years ago
|
Become and Windows
|
||
![]()
7 years ago
|
==================
|
||
![]()
7 years ago
|
|
||
|
Since Ansible 2.3, ``become`` can be used on Windows hosts through the
|
||
|
``runas`` method. Become on Windows uses the same inventory setup and
|
||
|
invocation arguments as ``become`` on a non-Windows host, so the setup and
|
||
|
variable names are the same as what is defined in this document.
|
||
|
|
||
|
While ``become`` can be used to assume the identity of another user, there are other uses for
|
||
|
it with Windows hosts. One important use is to bypass some of the
|
||
|
limitations that are imposed when running on WinRM, such as constrained network
|
||
|
delegation or accessing forbidden system calls like the WUA API. You can use
|
||
|
``become`` with the same user as ``ansible_user`` to bypass these limitations
|
||
|
and run commands that are not normally accessible in a WinRM session.
|
||
|
|
||
![]()
7 years ago
|
.. note:: Prior to Ansible 2.4, become would only work when ``ansible_winrm_transport`` was
|
||
![]()
7 years ago
|
set to either ``basic`` or ``credssp``, but since Ansible 2.4 become now works on
|
||
![]()
7 years ago
|
all transport types.
|
||
|
|
||
|
Administrative Rights
|
||
|
---------------------
|
||
|
|
||
|
Many tasks in Windows require administrative privileges to complete. When using
|
||
![]()
7 years ago
|
the ``runas`` become method, Ansible will attempt to run the module with the
|
||
|
full privileges that are available to the remote user. If it fails to elevate
|
||
|
the user token, it will continue to use the limited token during execution.
|
||
![]()
7 years ago
|
|
||
![]()
7 years ago
|
Before Ansible 2.5, a token was only able to be elevated when UAC was disabled
|
||
|
or the remote user had the ``SeTcbPrivilege`` assigned. This restriction has
|
||
|
been lifted in Ansible 2.5 and a user that is a member of the
|
||
|
``BUILTIN\Administrators`` group should have an elevated token during the
|
||
|
module execution.
|
||
|
|
||
|
To determine the type of token that Ansible was able to get, run the following
|
||
|
task and check the output::
|
||
|
|
||
|
- win_shell: cmd.exe /c whoami && whoami /groups && whoami /priv
|
||
|
become: yes
|
||
|
|
||
|
Under the ``GROUP INFORMATION`` section, the ``Mandatory Label`` entry
|
||
|
determines whether the user has Administrative rights. Here are the labels that
|
||
|
can be returned and what they mean:
|
||
|
|
||
|
* ``Medium``: Ansible failed to get an elevated token and ran under a limited
|
||
|
token. Only a subset of the privileges assigned to user are available during
|
||
|
the module execution and the user does not have administrative rights.
|
||
|
|
||
|
* ``High``: An elevated token was used and all the privileges assigned to the
|
||
|
user are available during the module execution.
|
||
|
|
||
|
* ``System``: The ``NT AUTHORITY\System`` account is used and has the highest
|
||
|
level of privileges available.
|
||
|
|
||
|
The output will also show the list of privileges that have been granted to the
|
||
|
user. When ``State==Disabled``, the privileges have not been enabled but can be
|
||
|
if required. In most scenarios these privileges are automatically enabled when
|
||
|
required.
|
||
|
|
||
|
If running on a version of Ansible that is older than 2.5 or the normal
|
||
|
``runas`` escalation process fails, an elevated token can be retrieved by:
|
||
![]()
7 years ago
|
|
||
|
* Set the ``become_user`` to ``System`` which has full control over the
|
||
|
operating system.
|
||
|
|
||
|
* Grant ``SeTcbPrivilege`` to the user Ansible connects with on
|
||
|
WinRM. ``SeTcbPrivilege`` is a high-level privilege that grants
|
||
|
full control over the operating system. No user is given this privilege by
|
||
![]()
7 years ago
|
default, and care should be taken if you grant this privilege to a user or group.
|
||
![]()
7 years ago
|
For more information on this privilege, please see
|
||
|
`Act as part of the operating system <https://technet.microsoft.com/en-us/library/dn221957(v=ws.11).aspx>`_.
|
||
|
You can use the below task to set this privilege on a Windows host::
|
||
|
|
||
|
- name: grant the ansible user the SeTcbPrivilege right
|
||
|
win_user_right:
|
||
|
name: SeTcbPrivilege
|
||
|
users: '{{ansible_user}}'
|
||
|
action: add
|
||
|
|
||
|
* Turn UAC off on the host and reboot before trying to become the user. UAC is
|
||
|
a security protocol that is designed to run accounts with the
|
||
|
``least privilege`` principle. You can turn UAC off by running the following
|
||
|
tasks::
|
||
|
|
||
|
- name: turn UAC off
|
||
|
win_regedit:
|
||
|
path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
|
||
|
name: EnableLUA
|
||
|
data: 0
|
||
|
type: dword
|
||
|
state: present
|
||
|
register: uac_result
|
||
![]()
7 years ago
|
|
||
![]()
7 years ago
|
- name: reboot after disabling UAC
|
||
|
win_reboot:
|
||
![]()
7 years ago
|
when: uac_result is changed
|
||
![]()
7 years ago
|
|
||
![]()
7 years ago
|
.. Note:: Granting the ``SeTcbPrivilege`` or turning UAC off can cause Windows
|
||
|
security vulnerabilities and care should be given if these steps are taken.
|
||
|
|
||
![]()
7 years ago
|
Local Service Accounts
|
||
|
----------------------
|
||
|
|
||
|
Prior to Ansible version 2.5, ``become`` only worked with a local or domain
|
||
|
user account. Local service accounts like ``System`` or ``NetworkService``
|
||
|
could not be used as ``become_user`` in these older versions. This restriction
|
||
|
has been lifted since the 2.5 release of Ansible. The three service accounts
|
||
|
that can be set under ``become_user`` are:
|
||
|
|
||
|
* System
|
||
|
* NetworkService
|
||
|
* LocalService
|
||
|
|
||
|
Because local service accounts do not have passwords, the
|
||
|
``ansible_become_password`` parameter is not required and is ignored if
|
||
|
specified.
|
||
|
|
||
![]()
7 years ago
|
Accounts without a Password
|
||
|
---------------------------
|
||
|
|
||
|
.. Warning:: As a general security best practice, you should avoid allowing accounts without passwords.
|
||
|
|
||
|
Ansible can be used to become an account that does not have a password (like the
|
||
|
``Guest`` account). To become an account without a password, set up the
|
||
|
variables like normal but either do not define ``ansible_become_pass`` or set
|
||
|
``ansible_become_pass: ''``.
|
||
|
|
||
|
Before become can work on an account like this, the local policy
|
||
|
`Accounts: Limit local account use of blank passwords to console logon only <https://technet.microsoft.com/en-us/library/jj852174.aspx>`_
|
||
|
must be disabled. This can either be done through a Group Policy Object (GPO)
|
||
|
or with this Ansible task:
|
||
|
|
||
|
.. code-block:: yaml
|
||
|
|
||
|
- name: allow blank password on become
|
||
|
win_regedit:
|
||
|
path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa
|
||
|
name: LimitBlankPasswordUse
|
||
|
data: 0
|
||
|
type: dword
|
||
|
state: present
|
||
|
|
||
|
.. Note:: This is only for accounts that do not have a password. You still need
|
||
|
to set the account's password under ``ansible_become_pass`` if the
|
||
|
become_user has a password.
|
||
|
|
||
![]()
7 years ago
|
Become Flags
|
||
|
------------
|
||
|
Ansible 2.5 adds the ``become_flags`` parameter to the ``runas`` become method. This parameter can be set using the ``become_flags`` task directive or set in Ansible's configuration using ``ansible_become_flags``. The two valid values that are initially supported for this parameter are ``logon_type`` and ``logon_flags``.
|
||
|
|
||
|
|
||
|
.. Note:: These flags should only be set when becoming a normal user account, not a local service account like LocalSystem.
|
||
|
|
||
|
The key ``logon_type`` sets the type of logon operation to perform. The value
|
||
|
can be set to one of the following:
|
||
|
|
||
|
* ``interactive``: The default logon type. The process will be run under a
|
||
|
context that is the same as when running a process locally. This bypasses all
|
||
|
WinRM restrictions and is the recommended method to use.
|
||
|
|
||
|
* ``batch``: Runs the process under a batch context that is similar to a
|
||
|
scheduled task with a password set. This should bypass most WinRM
|
||
|
restrictions and is useful if the ``become_user`` is not allowed to log on
|
||
|
interactively.
|
||
|
|
||
|
* ``new_credentials``: Runs under the same credentials as the calling user, but
|
||
|
outbound connections are run under the context of the ``become_user`` and
|
||
|
``become_password``, similar to ``runas.exe /netonly``. The ``logon_flags``
|
||
|
flag should also be set to ``netcredentials_only``. Use this flag if
|
||
|
the process needs to access a network resource (like an SMB share) using a
|
||
|
different set of credentials.
|
||
|
|
||
|
* ``network``: Runs the process under a network context without any cached
|
||
|
credentials. This results in the same type of logon session as running a
|
||
|
normal WinRM process without credential delegation, and operates under the same
|
||
|
restrictions.
|
||
|
|
||
|
* ``network_cleartext``: Like the ``network`` logon type, but instead caches
|
||
|
the credentials so it can access network resources. This is the same type of
|
||
|
logon session as running a normal WinRM process with credential delegation.
|
||
|
|
||
|
For more information, see
|
||
|
`dwLogonType <https://msdn.microsoft.com/en-au/library/windows/desktop/aa378184.aspx>`_.
|
||
|
|
||
|
The ``logon_flags`` key specifies how Windows will log the user on when creating
|
||
|
the new process. The value can be set to one of the following:
|
||
|
|
||
|
* ``with_profile``: The default logon flag set. The process will load the
|
||
|
user's profile in the ``HKEY_USERS`` registry key to ``HKEY_CURRENT_USER``.
|
||
|
|
||
|
* ``netcredentials_only``: The process will use the same token as the caller
|
||
|
but will use the ``become_user`` and ``become_password`` when accessing a remote
|
||
|
resource. This is useful in inter-domain scenarios where there is no trust
|
||
|
relationship, and should be used with the ``new_credentials`` ``logon_type``.
|
||
|
|
||
|
For more information, see `dwLogonFlags <https://msdn.microsoft.com/en-us/library/windows/desktop/ms682434.aspx>`_.
|
||
|
|
||
|
Here are some examples of how to use ``become_flags`` with Windows tasks:
|
||
|
|
||
|
.. code-block:: yaml
|
||
|
|
||
|
- name: copy a file from a fileshare with custom credentials
|
||
|
win_copy:
|
||
|
src: \\server\share\data\file.txt
|
||
|
dest: C:\temp\file.txt
|
||
|
remote_src: yex
|
||
|
vars:
|
||
|
ansible_become: yes
|
||
|
ansible_become_method: runas
|
||
|
ansible_become_user: DOMAIN\user
|
||
|
ansible_become_pass: Password01
|
||
|
ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only
|
||
|
|
||
|
- name: run a command under a batch logon
|
||
|
win_command: whoami
|
||
|
become: yes
|
||
|
become_flags: logon_type=batch
|
||
|
|
||
|
|
||
![]()
7 years ago
|
Limitations
|
||
|
-----------
|
||
|
|
||
|
Be aware of the following limitations with ``become`` on Windows:
|
||
|
|
||
![]()
7 years ago
|
* Running a task with ``async`` and ``become`` on Windows Server 2008, 2008 R2
|
||
|
and Windows 7 does not work.
|
||
![]()
7 years ago
|
|
||
![]()
7 years ago
|
* By default, the become user logs on with an interactive session, so it must
|
||
|
have the right to do so on the Windows host. If it does not inherit the
|
||
![]()
7 years ago
|
``SeAllowLogOnLocally`` privilege or inherits the ``SeDenyLogOnLocally``
|
||
|
privilege, the become process will fail.
|
||
|
|
||
![]()
7 years ago
|
* Prior to Ansible version 2.3, become only worked when
|
||
|
``ansible_winrm_transport`` was either ``basic`` or ``credssp``. This
|
||
|
restriction has been lifted since the 2.4 release of Ansible for all hosts
|
||
|
except Windows Server 2008 (non R2 version).
|
||
![]()
9 years ago
|
|
||
![]()
10 years ago
|
.. seealso::
|
||
|
|
||
![]()
7 years ago
|
`Mailing List <https://groups.google.com/forum/#!forum/ansible-project>`_
|
||
![]()
10 years ago
|
Questions? Help? Ideas? Stop by the list on Google Groups
|
||
![]()
7 years ago
|
`webchat.freenode.net <https://webchat.freenode.net>`_
|
||
![]()
10 years ago
|
#ansible IRC chat channel
|
||
|
|