search

cockpit-project / cockpit

Cockpit is a web-based graphical interface for servers.
http://www.cockpit-project.org/
GNU Lesser General Public License v2.1
11.23k stars 1.11k forks source link

"failed to lookup reauthorize secret key" for privileged operations in container #5664

Closed martinpitt closed 7 years ago

martinpitt commented 7 years ago

I installed cockpit into a fairly minimal F25 container:

sudo mkosi -d fedora -r 25 -t subvolume --password root -p dnf -p cockpit -p nodejs -p npm -p iproute -p sudo -p git -o /srv/nspawn/f25cockpit
sudo systemd-nspawn -xnbD /srv/nspawn/f25cockpit -M cockpit

On https://cockpit:9090/ (this requires nss-mymachines) I now tried to set a host name (by default the above only has a transient hostname acquired over DHCP). This shows a "/!\ Permission denied" error, and the log shows

Jan 03 11:41:53 cockpit cockpit-bridge[168]: cockpit-polkit: failed to lookup reauthorize secret key: reauthorize/secret/martin: Operation not permitted
Jan 03 11:41:53 cockpit cockpit-bridge[168]: cockpit-polkit helper exited with status: 0
Jan 03 11:41:53 cockpit polkitd[44]: Operator of unix-session:55 FAILED to authenticate to gain authorization for action org.freedesktop.hostname1.set-static-hostname for system-bus-name::1.24 [cockpit-bridge] (owned by unix-user:martin)

(this is with G_MESSAGES_DEBUG=cockpit-ws,cockpit-bridge).

Running hostnamectl set-hostname foo in that container with the same user martin asks for my password via polkit and works, so polkit itself seems fine.

martinpitt commented 7 years ago

This is from https://github.com/cockpit-project/cockpit/blob/master/src/reauthorize/reauthorize.c#L555

Indeed this is preceeded by

cockpit-session[31]: pam_reauthorize: couldn't create key in kernel session keyring: reauthorize/secret/martin: Operation not permitted

keyctl show just fails in a container (as user and as root), so this is just a general limitation of containers as the kernel keyring isn't namespace aware. If using cockpit in a container is just not supported, then this issue should just be closed. If we do want to support it, then maybe providing a custom polkit agent might be better as it does not make assumptions about kernel capabilities?

stefwalter commented 7 years ago

Yup. The polkit agent stuff is currently being rewritten ... and the usage of the kernel keyring is being removed:

https://trello.com/c/HDtcZMu5/409-implement-a-polkit-agent-in-javascript

stefwalter commented 7 years ago

If you're interested in how the polkit agent currently works (until the rewrite is merged) then it's documented here: https://github.com/cockpit-project/cockpit/blob/master/doc/reauthorize.md

petervo commented 7 years ago

Rewrite has been merged, this shouldn't be an issue anymore