Closed tholeb closed 1 year ago
I confirm that I'm experiencing the same issue on Cockpit version 264.1 running on RHEL 9.
I added a test user "user" that does not belong to the wheel group, and instead I created a /etc/sudoers.d/user with visudo with the following line: user ALL=(ALL) /bin/cockpit-bridge --privileged
The file gives the "user" user permission to use "sudo" with only "/bin/cockpit-bridge --privileged". Trying to run any other command with sudo in a terminal fails, with the error message "Sorry, user user is not allowed to execute ...".
On Cockpit, however, I'm able to switch successfully to Administrative access, and perform all administrative tasks, such as those in the menus "Networking", "Accounts", and "Services". The tasks that can be performed are beyond what I thought I had allowed to the "user" user with the sudoer file. This is an unexpected behavior.
The second portion about the PolicyKit rules not being observed is similar to the issues #17339, #16345, and #11003, as pointed out by @martinpitt ("Most cockpit pages don't do polkit checks").
@kyumin-arraytech : Allowing sudo access to cockpit-bridge is equivalent to full root access. It's the moral equivalent of allowing access to "bash". So this won't help you to do partial privileges -- these simply don't work with current Cockpit, soryr.
Thanks for the confirmation, @martinpitt .
Hello, thank you for your replies.
See explanation above, there is nothing further to do for this particular issue.
I installed cockpit in Ubuntu 20.04.5, and checked its version is 215-1, and I followed a link to add a *.pkla file to enforce netdev to have privileges of modifying all networkmanager settings, and the user in netdev group is able to modify network settings on cockpit websole. But I tried Debian 12 (cockpit 287-1) or ubuntu 18 (cockpit 164) by using the same way, the cockpit UI can't allow this user to modify networkmanager settings, and I confirmed this user has the permissions to modify networkmanager "nmcli general permissions", I wonder why? and why this bug can't be fixed in other cockpit versions? and this bug belongs to cockpit only? doesn't matter with polkit?
Explain what happens
Hello, I want to limit a group's permissions by allowing only a subset of commands. To do so, I've created a sudoers file in
/etc/sudoers.d/cockpit
(with Ansible), here is the content:Note: the
{{ ambx_group }}
is a variable replaced by the group's name when server is deployed with Ansible.The sudo file works like a charm, there is no errors, and I can restart/start/stop the httpd service in CLI, but not via Cockpit (I can't use the button). I tried applying the same config with Polkit (as the docs suggests):
And even with polkit, the button is disabled. I tried allowing
sudo cockpit-bridge
, but it gives the user full permissions, which is not what I want.Am I doing something wrong ?
Note: I use an SSO (Kerberos) to log into cockpit,
Version of Cockpit
195
Where is the problem in Cockpit?
Services
Server operating system
CentOS 7
Server operating system version
3.10.0-1127.el7.x86_64
What browsers are you using?
Firefox
System log