shell module with become_user does not function correctly

Hi - I’m having trouble using the shell module with become_user. As a basic test, I created this playbook:

• name: Retrieve environment variables for root
  shell: printenv

• name: Retrieve environment variables for oracle
  shell: printenv
  become: yes
  become_user: oracle

When I ran this with ansible-playbook and ‘-vvv’, I noticed:

• the output received from the first task was as expected:

“stdout”: “HOSTTYPE=x86_64\nSSH_CONNECTION=10.247.229.46 35330 10.247.229.191 22\nLESSCLOSE=lessclose.sh %s %s\nXKEYSYMDB=/usr/X11R6/lib/X11/XKeysymDB\n_=/usr/bin/printenv\nLANG=POSIX\nWINDOWMANAGER=xterm\nLESS=-M -I -R\nHOSTNAME=ldpdd191\nCSHEDIT=emacs\nGPG_TTY=/dev/pts/0\nLESS_ADVANCED_PREPROCESSOR=no\nCOLORTERM=1\nMACHTYPE=x86_64-suse-linux\nMINICOM=-c on\nOSTYPE=linux\nXDG_SESSION_ID=69\nUSER=root\nPAGER=less\nMORE=-sl\nPWD=/root\nHOME=/root\nLC_CTYPE=C.UTF-8\nHOST=ldpdd191\nSSH_CLIENT=10.247.229.46 35330 22\nXNLSPATH=/usr/X11R6/lib/X11/nls\nXDG_SESSION_TYPE=tty\nXDG_DATA_DIRS=/usr/share\nLIBGL_DEBUG=quiet\nPROFILEREAD=true\nSSH_TTY=/dev/pts/0\nFROM_HEADER=\nMAIL=/var/spool/mail/root\nLESSKEY=/etc/lesskey.bin\nTERM=xterm\nSHELL=/bin/bash\nXDG_SESSION_CLASS=user\nPYTHONSTARTUP=/etc/pythonstart\nSHLVL=3\nMANPATH=/usr/share/man:/usr/local/man\nLOGNAME=root\nDBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/0/bus\nXDG_RUNTIME_DIR=/run/user/0\nXDG_CONFIG_DIRS=/etc/xdg\nPATH=/sbin:/usr/sbin:/usr/local/sbin:/root/bin:/usr/local/bin:/usr/bin:/bin\nG_BROKEN_FILENAMES=1\nHISTSIZE=1000\nCPU=x86_64\nSSH_SENDS_LOCALE=yes\nLESSOPEN=lessopen.sh %s”,

but the output received from the second task (which uses ‘become_user’) was not correct:

“stdout”: “_=/usr/bin/printenv\nLANG=POSIX\nSUDO_GID=0\nCOLORTERM=1\nSUDO_COMMAND=/bin/sh -c echo BECOME-SUCCESS-ukrwuqlueafnghzqqoabhpfcwxwpieyw ; /usr/bin/python3.6 /var/tmp/ansible-tmp-1695847065.2341652-30706-3263662880779/AnsiballZ_command.py\nUSER=oracle\nPWD=/home/oracle/.ansible/tmp/ansible-moduletmp-1695847065.5976799-u8hbo4o2\nHOME=/home/oracle\nLC_CTYPE=C.UTF-8\nSUDO_USER=root\nSUDO_UID=0\nMAIL=/var/mail/oracle\nTERM=xterm\nSHELL=/bin/bash\nSHLVL=2\nLOGNAME=oracle\nPATH=/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/bin:/usr/local/sbin”,

so, it seem that using ‘become_user’ perverts the function of the ‘shell’ module, and the command provided is not executed as expected. Is this a known bug/limitation?

Thanks!
tl

Hi - I’m having trouble using the shell module with become_user. As a basic test, I created this playbook:

• name: Retrieve environment variables for root
  shell: printenv

• name: Retrieve environment variables for oracle
  shell: printenv
  become: yes
  become_user: oracle

When I ran this with ansible-playbook and ‘-vvv’, I noticed:

• the output received from the first task was as expected:

“stdout”: “HOSTTYPE=x86_64\nSSH_CONNECTION=10.247.229.46 35330 10.247.229.191 22\nLESSCLOSE=lessclose.sh %s %s\nXKEYSYMDB=/usr/X11R6/lib/X11/XKeysymDB\n_=/usr/bin/printenv\nLANG=POSIX\nWINDOWMANAGER=xterm\nLESS=-M -I -R\nHOSTNAME=ldpdd191\nCSHEDIT=emacs\nGPG_TTY=/dev/pts/0\nLESS_ADVANCED_PREPROCESSOR=no\nCOLORTERM=1\nMACHTYPE=x86_64-suse-linux\nMINICOM=-c on\nOSTYPE=linux\nXDG_SESSION_ID=69\nUSER=root\nPAGER=less\nMORE=-sl\nPWD=/root\nHOME=/root\nLC_CTYPE=C.UTF-8\nHOST=ldpdd191\nSSH_CLIENT=10.247.229.46 35330 22\nXNLSPATH=/usr/X11R6/lib/X11/nls\nXDG_SESSION_TYPE=tty\nXDG_DATA_DIRS=/usr/share\nLIBGL_DEBUG=quiet\nPROFILEREAD=true\nSSH_TTY=/dev/pts/0\nFROM_HEADER=\nMAIL=/var/spool/mail/root\nLESSKEY=/etc/lesskey.bin\nTERM=xterm\nSHELL=/bin/bash\nXDG_SESSION_CLASS=user\nPYTHONSTARTUP=/etc/pythonstart\nSHLVL=3\nMANPATH=/usr/share/man:/usr/local/man\nLOGNAME=root\nDBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/0/bus\nXDG_RUNTIME_DIR=/run/user/0\nXDG_CONFIG_DIRS=/etc/xdg\nPATH=/sbin:/usr/sbin:/usr/local/sbin:/root/bin:/usr/local/bin:/usr/bin:/bin\nG_BROKEN_FILENAMES=1\nHISTSIZE=1000\nCPU=x86_64\nSSH_SENDS_LOCALE=yes\nLESSOPEN=lessopen.sh %s”,

but the output received from the second task (which uses ‘become_user’) was not correct:

“stdout”: “_=/usr/bin/printenv\nLANG=POSIX\nSUDO_GID=0\nCOLORTERM=1\nSUDO_COMMAND=/bin/sh -c echo BECOME-SUCCESS-ukrwuqlueafnghzqqoabhpfcwxwpieyw ; /usr/bin/python3.6 /var/tmp/ansible-tmp-1695847065.2341652-30706-3263662880779/AnsiballZ_command.py\nUSER=oracle\nPWD=/home/oracle/.ansible/tmp/ansible-moduletmp-1695847065.5976799-u8hbo4o2\nHOME=/home/oracle\nLC_CTYPE=C.UTF-8\nSUDO_USER=root\nSUDO_UID=0\nMAIL=/var/mail/oracle\nTERM=xterm\nSHELL=/bin/bash\nSHLVL=2\nLOGNAME=oracle\nPATH=/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/bin:/usr/local/sbin”,

so, it seem that using ‘become_user’ perverts the function of the ‘shell’ module, and the command provided is not executed as expected.

What do you expect? And what do you mean by “perverts the function”?

Because it seems to work fine to me.

Hi Dick

Sorry I was vague. The issue is that the ‘printenv’ output returned by the second task was incorrect. It should have been:

oracle@ldpdd191:~> printenv
LS_COLORS=no=00:fi=00:di=01;34:ln=00;36:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=41;33;01:ex=00;32:.cmd=00;32:.exe=01;32:.com=01;32:.bat=01;32:.btm=01;32:.dll=01;32:.tar=00;31:.tbz=00;31:.tgz=00;31:.rpm=00;31:.deb=00;31:.arj=00;31:.taz=00;31:.lzh=00;31:.lzma=00;31:.zip=00;31:.zoo=00;31:.z=00;31:.Z=00;31:.gz=00;31:.bz2=00;31:.tb2=00;31:.tz2=00;31:.tbz2=00;31:.xz=00;31:.avi=01;35:.bmp=01;35:.dl=01;35:.fli=01;35:.gif=01;35:.gl=01;35:.jpg=01;35:.jpeg=01;35:.mkv=01;35:.mng=01;35:.mov=01;35:.mp4=01;35:.mpg=01;35:.pcx=01;35:.pbm=01;35:.pgm=01;35:.png=01;35:.ppm=01;35:.svg=01;35:.tga=01;35:.tif=01;35:.webm=01;35:.webp=01;35:.wmv=01;35:.xbm=01;35:.xcf=01;35:.xpm=01;35:.aiff=00;32:.ape=00;32:.au=00;32:.flac=00;32:.m4a=00;32:.mid=00;32:.mp3=00;32:.mpc=00;32:.ogg=00;32:.voc=00;32:.wav=00;32:.wma=00;32:*.wv=00;32:
HOSTTYPE=x86_64
LESSCLOSE=lessclose.sh %s %s
XKEYSYMDB=/usr/X11R6/lib/X11/XKeysymDB
ORACLE_SID=orcl
ORACLE_BASE=/u01/app/oracle
LANG=en_US.UTF-8
WINDOWMANAGER=xterm
LESS=-M -I -R
ORACLE_HOME=/u01/app/oracle/product/21.0.0/dbhome_1
HOSTNAME=ldpdd191
CSHEDIT=emacs
GPG_TTY=/dev/pts/1
LESS_ADVANCED_PREPROCESSOR=no
COLORTERM=1
MACHTYPE=x86_64-suse-linux
MINICOM=-c on
OSTYPE=linux
USER=oracle
PAGER=less
MORE=-sl
PWD=/home/oracle
HOME=/home/oracle
HOST=ldpdd191
XNLSPATH=/usr/X11R6/lib/X11/nls
XDG_DATA_DIRS=/usr/share
PROFILEREAD=true
ORA_INVENTORY=/u01/app/oraInventory
FROM_HEADER=
MAIL=/var/spool/mail/oracle
LESSKEY=/etc/lesskey.bin
TERM=xterm
SHELL=/bin/bash
LS_OPTIONS=-N --color=tty -T 0
PYTHONSTARTUP=/etc/pythonstart
SHLVL=1
G_FILENAME_ENCODING=@locale,UTF-8,ISO-8859-15,CP1252
MANPATH=/usr/local/man:/usr/share/man
LOGNAME=oracle
XDG_CONFIG_DIRS=/etc/xdg
PATH=/u01/app/oracle/product/21.0.0/dbhome_1/bin:/u01/app/oracle/product/21.0.0/dbhome_1/bin:/home/oracle/bin:/usr/local/bin:/usr/bin:/bin
G_BROKEN_FILENAMES=1
HISTSIZE=1000
CPU=x86_64
LESSOPEN=lessopen.sh %s
_=/usr/bin/printenv
oracle@ldpdd191:~>

The STDOUT value for the second task does not show this output; instead, it show some information that is NOT the output of ‘printenv’. Is this expected?

Thanks
tl

become does not always imply a full login nor sourcing .shell files,
some of it depends on flags (`-i` for sudo or `-` for su), other times
it depends on shell used.

Hi Brian

Thanks very much for these hints. I did some more reading in https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_privilege_escalation.html and its linked pages. I found that adding:

become_method: su

allowed ‘printenv’ to run correctly in the non-root account, and the further addition of:

become_flags: ‘-’

allowed execution of .bash_profile, allowing the environment variables to be set.

Thanks again
tl