diff --git a/changelogs/fragments/7099-chroot-disable-root-check-option.yml b/changelogs/fragments/7099-chroot-disable-root-check-option.yml new file mode 100644 index 0000000000..c5c2af4e95 --- /dev/null +++ b/changelogs/fragments/7099-chroot-disable-root-check-option.yml @@ -0,0 +1,2 @@ +minor_changes: + - "chroot connection plugin - add ``disable_root_check`` option (https://github.com/ansible-collections/community.general/pull/7099)." diff --git a/plugins/connection/chroot.py b/plugins/connection/chroot.py index 7903ab7046..810316aaa5 100644 --- a/plugins/connection/chroot.py +++ b/plugins/connection/chroot.py @@ -46,6 +46,19 @@ DOCUMENTATION = ''' vars: - name: ansible_chroot_exe default: chroot + disable_root_check: + description: + - Do not check that the user is not root. + ini: + - section: chroot_connection + key: disable_root_check + env: + - name: ANSIBLE_CHROOT_DISABLE_ROOT_CHECK + vars: + - name: ansible_chroot_disable_root_check + default: false + type: bool + version_added: 7.3.0 ''' EXAMPLES = r""" @@ -102,11 +115,7 @@ class Connection(ConnectionBase): self.chroot = self._play_context.remote_addr - if os.geteuid() != 0: - raise AnsibleError("chroot connection requires running as root") - - # we're running as root on the local system so do some - # trivial checks for ensuring 'host' is actually a chroot'able dir + # do some trivial checks for ensuring 'host' is actually a chroot'able dir if not os.path.isdir(self.chroot): raise AnsibleError("%s is not a directory" % self.chroot) @@ -120,6 +129,11 @@ class Connection(ConnectionBase): def _connect(self): """ connect to the chroot """ + if not self.get_option('disable_root_check') and os.geteuid() != 0: + raise AnsibleError( + "chroot connection requires running as root. " + "You can override this check with the `disable_root_check` option.") + if os.path.isabs(self.get_option('chroot_exe')): self.chroot_cmd = self.get_option('chroot_exe') else: