AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,100 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example" published by Apress, and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

Ansible Privilege Escalation Errors: Troubleshoot become & sudo

By Luca Berton · Published 2024-01-01 · Category: installation

Troubleshoot Ansible privilege escalation errors. Fix sudo password issues, become configuration, requiretty, and permission problems with practical solutions.

Today we're going to talk about Ansible troubleshooting and specifically about privilege escalation errors. I'm Luca Berton and welcome to today's episode of Ansible Pilot. It happens when the connection user Ansible doesn't have the permission to perform the operation. The solution is simply to switch to the user with administrative rights. In Ansible you perform this operation enabling the become statement. Behind the scenes Ansible is connecting to the target host using the normal user, switching to the administrative user and then executing the playbook code. The standard privilege escalation method is sudo but more are available for example su, pfexec, doas, pbrun, dzdo, ksu, runas, machinectl, Centrify, etc.

LinksUnderstanding privilege escalation: become

## Playbook The best way of talking about Ansible troubleshooting is to jump in a live Playbook to show you practically the privilege escalation error and how to solve it!

error

fix

Now you know better how to troubleshoot the most common Ansible error about privilege escalation.

Understanding Ansible Privilege Escalation

By default, Ansible connects to managed hosts as a regular user. Many tasks (installing packages, modifying system files, managing services) require root or administrative privileges. Ansible's become feature handles this.

How become Works Ansible connects via SSH as remote_user If become: true, it escalates privileges using become_method (default: sudo) It switches to become_user (default: root) The task executes with elevated privileges

Common Privilege Escalation Errors

Error 1: Missing sudo password

Fix — provide the password:

Fix — passwordless sudo (recommended for automation):

Error 2: User is not in the sudoers file

Fix:

Error 3: Sorry, try again (wrong password)

Fix: Verify the password is correct. If using Ansible Vault:

Error 4: sudo: a terminal is required

Fix: The requiretty option in sudoers is blocking Ansible. Disable it:

Or enable pipelining in Ansible:

Playbook Examples

Basic privilege escalation

Per-task escalation

Switch to a specific user

Available become Methods

| Method | Description | Use Case | |--------|-------------|----------| | sudo | Default, most common | Linux/macOS | | su | Switch user | When sudo isn't available | | pbrun | PowerBroker | Enterprise environments | | pfexec | Profile-based exec | Solaris | | doas | OpenBSD sudo alternative | BSD systems | | runas | Windows escalation | Windows targets | | machinectl | systemd container exec | systemd-nspawn |

FAQ

Should I use become: true at play level or task level?

Use play level when most tasks need root. Use task level when only some tasks need elevation. Task-level is more secure (principle of least privilege).

How do I pass the become password securely?

Use Ansible Vault to encrypt the password:

Why does become fail with su method?

The su method requires the target user's password (usually root), not the connecting user's password. Make sure you're providing the right password with --ask-become-pass.

Common Errors and Fixes

"Missing sudo password"

"sudo: a terminal is required"

"Permission denied" with become

"User not in sudoers file"

Become to Non-Root User

Debugging

Become Methods

Sudoers Configuration

Common Patterns

| Error | Likely Cause | Fix | |-------|-------------|-----| | Missing sudo password | No NOPASSWD in sudoers | Add -K flag or configure sudoers | | requiretty | Old sudoers config | Enable pipelining or remove requiretty | | Not in sudoers | User lacks sudo access | Add to sudoers.d | | Permission denied | Wrong become_user | Check sudoers allows target user | | Module failure | become not set | Add become: true |

FAQ

Can I use different sudo passwords per host?

Yes — set ansible_become_password in host_vars/:

How do I become without sudo?

Use become_method: su (needs root password) or configure polkit/doas as alternatives.

Why does my task fail even with become?

The become user might lack permissions for that specific action. Check file ownership, service permissions, and SELinux context.

Common Errors

"Missing sudo password"

"sudo: a terminal is required"

"sudo: sorry, you must have a tty"

Same fix as above — remove requiretty from sudoers or disable pipelining.

"Permission denied"

become Configuration

Alternative become Methods

Become a Non-Root User

Debug Privilege Escalation

Sudoers Best Practices

FAQ

become: true vs become: yes?

Both work — YAML treats true/yes as boolean true. true is preferred by ansible-lint.

Can I escalate on some tasks only?

Yes — set become: true per-task instead of per-play. Better security practice.

"Incorrect sudo password" but password is right?

Check: locale issues (special characters in password), password for wrong user (might need root's password with su), PAM configuration blocking.

Related ArticlesAnsible Become GuideAnsible Roles Guide

Category: installation

Watch the video: Ansible Privilege Escalation Errors: Troubleshoot become & sudo — Video Tutorial

Browse all Ansible tutorials · AnsiblePilot Home