From d964cec5e6aa807b75c7a4e7cdc5f11e54b2eda2 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Sun, 28 Apr 2024 18:04:56 +0200
Subject: Adding upstream version 6.13.1.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 src/ansiblelint/rules/partial_become.md | 42 +++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 src/ansiblelint/rules/partial_become.md

(limited to 'src/ansiblelint/rules/partial_become.md')

diff --git a/src/ansiblelint/rules/partial_become.md b/src/ansiblelint/rules/partial_become.md
new file mode 100644
index 0000000..01f9dae
--- /dev/null
+++ b/src/ansiblelint/rules/partial_become.md
@@ -0,0 +1,42 @@
+# partial-become
+
+This rule checks that privilege escalation is activated when changing users.
+
+To perform an action as a different user with the `become_user` directive, you
+must set `become: true`.
+
+!!! warning
+
+    While Ansible inherits have of `become` and `become_user` from upper levels,
+    like play level or command line, we do not look at these values. This rule
+    requires you to be explicit and always define both in the same place, mainly
+    in order to prevent accidents when some tasks are moved from one location to
+    another one.
+
+## Problematic Code
+
+```yaml
+---
+- name: Example playbook
+  hosts: localhost
+  tasks:
+    - name: Start the httpd service as the apache user
+      ansible.builtin.service:
+        name: httpd
+        state: started
+        become_user: apache # <- Does not change the user because "become: true" is not set.
+```
+
+## Correct Code
+
+```yaml
+- name: Example playbook
+  hosts: localhost
+  tasks:
+    - name: Start the httpd service as the apache user
+      ansible.builtin.service:
+        name: httpd
+        state: started
+        become: true # <- Activates privilege escalation.
+        become_user: apache # <- Changes the user with the desired privileges.
+```
-- 
cgit v1.2.3