shell module with become_user does not function correctly

[Terry Lemons]

Hi - I'm having trouble using the shell module with become_user. As a basic test, I created this playbook:

- name: Retrieve environment variables for root
  shell: printenv

- name: Retrieve environment variables for oracle
  shell: printenv
  become: yes
  become_user: oracle

When I ran this with ansible-playbook and '-vvv', I noticed:

- the output received from the first task was as expected:

    "stdout": "HOSTTYPE=x86_64\nSSH_CONNECTION=10.247.229.46 35330 10.247.229.191 22\nLESSCLOSE=lessclose.sh %s %s\nXKEYSYMDB=/usr/X11R6/lib/X11/XKeysymDB\n_=/usr/bin/printenv\nLANG=POSIX\nWINDOWMANAGER=xterm\nLESS=-M -I -R\nHOSTNAME=ldpdd191\nCSHEDIT=emacs\nGPG_TTY=/dev/pts/0\nLESS_ADVANCED_PREPROCESSOR=no\nCOLORTERM=1\nMACHTYPE=x86_64-suse-linux\nMINICOM=-c on\nOSTYPE=linux\nXDG_SESSION_ID=69\nUSER=root\nPAGER=less\nMORE=-sl\nPWD=/root\nHOME=/root\nLC_CTYPE=C.UTF-8\nHOST=ldpdd191\nSSH_CLIENT=10.247.229.46 35330 22\nXNLSPATH=/usr/X11R6/lib/X11/nls\nXDG_SESSION_TYPE=tty\nXDG_DATA_DIRS=/usr/share\nLIBGL_DEBUG=quiet\nPROFILEREAD=true\nSSH_TTY=/dev/pts/0\nFROM_HEADER=\nMAIL=/var/spool/mail/root\nLESSKEY=/etc/lesskey.bin\nTERM=xterm\nSHELL=/bin/bash\nXDG_SESSION_CLASS=user\nPYTHONSTARTUP=/etc/pythonstart\nSHLVL=3\nMANPATH=/usr/share/man:/usr/local/man\nLOGNAME=root\nDBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/0/bus\nXDG_RUNTIME_DIR=/run/user/0\nXDG_CONFIG_DIRS=/etc/xdg\nPATH=/sbin:/usr/sbin:/usr/local/sbin:/root/bin:/usr/local/bin:/usr/bin:/bin\nG_BROKEN_FILENAMES=1\nHISTSIZE=1000\nCPU=x86_64\nSSH_SENDS_LOCALE=yes\nLESSOPEN=lessopen.sh %s",

but the output received from the second task (which uses 'become_user') was not correct:

    "stdout": "_=/usr/bin/printenv\nLANG=POSIX\nSUDO_GID=0\nCOLORTERM=1\nSUDO_COMMAND=/bin/sh -c echo BECOME-SUCCESS-ukrwuqlueafnghzqqoabhpfcwxwpieyw ; /usr/bin/python3.6 /var/tmp/ansible-tmp-1695847065.2341652-30706-3263662880779/AnsiballZ_command.py\nUSER=oracle\nPWD=/home/oracle/.ansible/tmp/ansible-moduletmp-1695847065.5976799-u8hbo4o2\nHOME=/home/oracle\nLC_CTYPE=C.UTF-8\nSUDO_USER=root\nSUDO_UID=0\nMAIL=/var/mail/oracle\nTERM=xterm\nSHELL=/bin/bash\nSHLVL=2\nLOGNAME=oracle\nPATH=/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/bin:/usr/local/sbin",

so, it seem that using 'become_user' perverts the function of the 'shell' module, and the command provided is not executed as expected. Is this a known bug/limitation?

Thanks!

tl

[Dick Visser]

What do you expect? And what do you mean by "perverts the function"?

Because it seems to work fine to me.

[Terry Lemons]

Hi Dick

Sorry I was vague. The issue is that the 'printenv' output returned by the second task was incorrect. It should have been:

oracle@ldpdd191:~> printenv
LS_COLORS=no=00:fi=00:di=01;34:ln=00;36:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=41;33;01:ex=00;32:*.cmd=00;32:*.exe=01;32:*.com=01;32:*.bat=01;32:*.btm=01;32:*.dll=01;32:*.tar=00;31:*.tbz=00;31:*.tgz=00;31:*.rpm=00;31:*.deb=00;31:*.arj=00;31:*.taz=00;31:*.lzh=00;31:*.lzma=00;31:*.zip=00;31:*.zoo=00;31:*.z=00;31:*.Z=00;31:*.gz=00;31:*.bz2=00;31:*.tb2=00;31:*.tz2=00;31:*.tbz2=00;31:*.xz=00;31:*.avi=01;35:*.bmp=01;35:*.dl=01;35:*.fli=01;35:*.gif=01;35:*.gl=01;35:*.jpg=01;35:*.jpeg=01;35:*.mkv=01;35:*.mng=01;35:*.mov=01;35:*.mp4=01;35:*.mpg=01;35:*.pcx=01;35:*.pbm=01;35:*.pgm=01;35:*.png=01;35:*.ppm=01;35:*.svg=01;35:*.tga=01;35:*.tif=01;35:*.webm=01;35:*.webp=01;35:*.wmv=01;35:*.xbm=01;35:*.xcf=01;35:*.xpm=01;35:*.aiff=00;32:*.ape=00;32:*.au=00;32:*.flac=00;32:*.m4a=00;32:*.mid=00;32:*.mp3=00;32:*.mpc=00;32:*.ogg=00;32:*.voc=00;32:*.wav=00;32:*.wma=00;32:*.wv=00;32:
HOSTTYPE=x86_64
LESSCLOSE=lessclose.sh %s %s
XKEYSYMDB=/usr/X11R6/lib/X11/XKeysymDB
ORACLE_SID=orcl
ORACLE_BASE=/u01/app/oracle
LANG=en_US.UTF-8
WINDOWMANAGER=xterm
LESS=-M -I -R
ORACLE_HOME=/u01/app/oracle/product/21.0.0/dbhome_1
HOSTNAME=ldpdd191
CSHEDIT=emacs
GPG_TTY=/dev/pts/1
LESS_ADVANCED_PREPROCESSOR=no
COLORTERM=1
MACHTYPE=x86_64-suse-linux
MINICOM=-c on
OSTYPE=linux
USER=oracle
PAGER=less
MORE=-sl
PWD=/home/oracle
HOME=/home/oracle
HOST=ldpdd191
XNLSPATH=/usr/X11R6/lib/X11/nls
XDG_DATA_DIRS=/usr/share
PROFILEREAD=true
ORA_INVENTORY=/u01/app/oraInventory
FROM_HEADER=
MAIL=/var/spool/mail/oracle
LESSKEY=/etc/lesskey.bin
TERM=xterm
SHELL=/bin/bash
LS_OPTIONS=-N --color=tty -T 0
PYTHONSTARTUP=/etc/pythonstart
SHLVL=1
G_FILENAME_ENCODING=@locale,UTF-8,ISO-8859-15,CP1252
MANPATH=/usr/local/man:/usr/share/man
LOGNAME=oracle
XDG_CONFIG_DIRS=/etc/xdg
PATH=/u01/app/oracle/product/21.0.0/dbhome_1/bin:/u01/app/oracle/product/21.0.0/dbhome_1/bin:/home/oracle/bin:/usr/local/bin:/usr/bin:/bin
G_BROKEN_FILENAMES=1
HISTSIZE=1000
CPU=x86_64
LESSOPEN=lessopen.sh %s
_=/usr/bin/printenv
oracle@ldpdd191:~>

The STDOUT value for the second task does not show this output; instead, it show some information that is NOT the output of 'printenv'. Is this expected?

Thanks

tl

[Brian Coca]

become does not always imply a full login nor sourcing .shell files,
some of it depends on flags (`-i` for sudo or `-` for su), other times
it depends on shell used.

--
----------
Brian Coca

[Terry Lemons]

Hi Brian

Thanks very much for these hints. I did some more reading in https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_privilege_escalation.html and its linked pages.  I found that adding:

  become_method: su

allowed 'printenv' to run correctly in the non-root account, and the further addition of:

  become_flags: '-'

allowed execution of .bash_profile, allowing the environment variables to be set.

Thanks again

tl