1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
|
# partial-become
This rule checks that privilege escalation is activated when changing users.
To perform an action as a different user with the `become_user` directive, you
must set `become: true`.
This rule can produce the following messages:
- `partial-become[play]`: become_user requires become to work as expected, at
play level.
- `partial-become[task]`: become_user requires become to work as expected, at
task level.
!!! warning
While Ansible inherits have of `become` and `become_user` from upper levels,
like play level or command line, we do not look at these values. This rule
requires you to be explicit and always define both in the same place, mainly
in order to prevent accidents when some tasks are moved from one location to
another one.
## Problematic Code
```yaml
---
- name: Example playbook
hosts: localhost
become: true # <- Activates privilege escalation.
tasks:
- name: Start the httpd service as the apache user
ansible.builtin.service:
name: httpd
state: started
become_user: apache # <- Does not change the user because "become: true" is not set.
```
## Correct Code
```yaml
- name: Example playbook
hosts: localhost
tasks:
- name: Start the httpd service as the apache user
ansible.builtin.service:
name: httpd
state: started
become: true # <- Activates privilege escalation.
become_user: apache # <- Changes the user with the desired privileges.
# Stand alone playbook alternative, applies to all tasks
- name: Example playbook
hosts: localhost
become: true # <- Activates privilege escalation.
become_user: apache # <- Changes the user with the desired privileges.
tasks:
- name: Start the httpd service as the apache user
ansible.builtin.service:
name: httpd
state: started
```
## Problematic Code
```yaml
---
- name: Example playbook 1
hosts: localhost
become: true # <- Activates privilege escalation.
tasks:
- name: Include a task file
ansible.builtin.include_tasks: tasks.yml
```
```yaml
---
- name: Example playbook 2
hosts: localhost
tasks:
- name: Include a task file
ansible.builtin.include_tasks: tasks.yml
```
```yaml
# tasks.yml
- name: Start the httpd service as the apache user
ansible.builtin.service:
name: httpd
state: started
become_user: apache # <- Does not change the user because "become: true" is not set.
```
## Correct Code
```yaml
---
- name: Example playbook 1
hosts: localhost
tasks:
- name: Include a task file
ansible.builtin.include_tasks: tasks.yml
```
```yaml
---
- name: Example playbook 2
hosts: localhost
tasks:
- name: Include a task file
ansible.builtin.include_tasks: tasks.yml
```
```yaml
# tasks.yml
- name: Start the httpd service as the apache user
ansible.builtin.service:
name: httpd
state: started
become: true # <- Activates privilege escalation.
become_user: apache # <- Does not change the user because "become: true" is not set.
```
!!! note
This rule can be automatically fixed using [`--fix`](../autofix.md) option.
|
