Privilege Escalation Using Become Plugin

  • Query id: 0e75052f-cc02-41b8-ac39-a78017527e95
  • Query name: Privilege Escalation Using Become Plugin
  • Platform: Ansible
  • Severity: Medium
  • Category: Access Control
  • CWE: Ongoing
  • URL: Github

Description

In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true'
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
---
- hosts: localhost
  name: become_user without become
  become_user: bar

  tasks:
    - name: Simple hello
      ansible.builtin.debug:
        msg: hello

---
- hosts: localhost
  name: become_user with become false
  become_user: root
  become: false

  tasks:
    - name: Simple hello
      ansible.builtin.debug:
        msg: hello

---
- hosts: localhost
  tasks:
    - name: become and become_user on different tasks
      block:
        - name: Sample become
          become: true
          ansible.builtin.command: ls .
        - name: Sample become_user
          become_user: foo
          ansible.builtin.command: ls .

---
- hosts: localhost
  tasks:
    - name: become false
      block:
        - name: Sample become
          become: true
          ansible.builtin.command: ls .
        - name: Sample become_user
          become_user: postgres
          become: false
          ansible.builtin.command: ls .

---
- hosts: localhost
  tasks:
    - name: become_user with become task as false
      ansible.builtin.command: whoami
      become_user: mongodb
      become: false
      changed_when: false

---
- hosts: localhost
  tasks:
    - name: become_user without become
      ansible.builtin.command: whoami
      become_user: mysql
      changed_when: false

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
---
- hosts: localhost
  become_user: postgres
  become: true
  tasks:
    - name: some task
      ansible.builtin.command: whoamyou
      changed_when: false

---
- hosts: localhost
  tasks:
    - name: become from the same scope
      ansible.builtin.command: whoami
      become: true
      become_user: postgres
      changed_when: false