community.general.machinectl become – Systemd’s machinectl privilege escalation
Note
This become plugin is part of the community.general collection (version 10.1.0).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install community.general
.
To use it in a playbook, specify: community.general.machinectl
.
Synopsis
This become plugins allows your remote/login user to execute commands as another user via the machinectl utility.
Parameters
Parameter |
Comments |
---|---|
Machinectl executable. Default: Configuration:
|
|
Options to pass to machinectl. Default: Configuration:
|
|
Password for machinectl. Configuration:
|
|
User you ‘become’ to execute the task. Default: Configuration:
|
Notes
Note
When not using this plugin with user
root
, it only works correctly with a polkit rule which will alter the behaviour of machinectl. This rule must alter the prompt behaviour to ask directly for the user credentials, if the user is allowed to perform the action (take a look at the examples section). If such a rule is not present the plugin only work if it is used in context with the root user, because then no further prompt will be shown by machinectl.
Examples
# A polkit rule needed to use the module with a non-root user.
# See the Notes section for details.
/etc/polkit-1/rules.d/60-machinectl-fast-user-auth.rules: |
polkit.addRule(function(action, subject) {
if(action.id == "org.freedesktop.machine1.host-shell" &&
subject.isInGroup("wheel")) {
return polkit.Result.AUTH_SELF_KEEP;
}
});