---
title: Privilege escalation using become plugin
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > Privilege escalation using become plugin
---

# Privilege escalation using become plugin

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `0e75052f-cc02-41b8-ac39-a78017527e95`

**Cloud Provider:** Common

**Platform:** Ansible

**Severity:** Medium

**Category:** Access Control

#### Learn More{% #learn-more %}

- [Provider Reference](https://ansible.readthedocs.io/projects/lint/rules/partial-become/#problematic-code)

### Description{% #description %}

Playbooks and tasks that specify a target user with `become_user` must also enable privilege escalation so actions execute with the intended elevated privileges. Without `become: true`, commands run as the unprivileged connection user or fail. This can lead to misconfiguration, failed security controls, or unintended access to sensitive resources. Verify the `become` property is defined and set to `true` on `ansible_playbook` and `ansible_task` resources whenever `become_user` is present. Resources where `become_user` is defined but `become` is missing or `false` are flagged for correction.

Secure examples:

```yaml
- hosts: servers
  become: true
  become_user: root
  tasks:
    - name: Perform privileged action
      command: /usr/bin/some-command
```

```yaml
- name: Install package
  become: true
  become_user: root
  apt:
    name: nginx
    state: present
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
---
- hosts: localhost
  become_user: postgres
  become: true
  tasks:
    - name: some task
      ansible.builtin.command: whoamyou
      changed_when: false

---
- hosts: localhost
  tasks:
    - name: become from the same scope
      ansible.builtin.command: whoami
      become: true
      become_user: postgres
      changed_when: false
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
---
- hosts: localhost
  name: become_user without become
  become_user: bar

  tasks:
    - name: Simple hello
      ansible.builtin.debug:
        msg: hello

---
- hosts: localhost
  name: become_user with become false
  become_user: root
  become: false

  tasks:
    - name: Simple hello
      ansible.builtin.debug:
        msg: hello

---
- hosts: localhost
  tasks:
    - name: become and become_user on different tasks
      block:
        - name: Sample become
          become: true
          ansible.builtin.command: ls .
        - name: Sample become_user
          become_user: foo
          ansible.builtin.command: ls .

---
- hosts: localhost
  tasks:
    - name: become false
      block:
        - name: Sample become
          become: true
          ansible.builtin.command: ls .
        - name: Sample become_user
          become_user: postgres
          become: false
          ansible.builtin.command: ls .

---
- hosts: localhost
  tasks:
    - name: become_user with become task as false
      ansible.builtin.command: whoami
      become_user: mongodb
      become: false
      changed_when: false

---
- hosts: localhost
  tasks:
    - name: become_user without become
      ansible.builtin.command: whoami
      become_user: mysql
      changed_when: false
```