1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
|
<?xml version="1.0"?>
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
<chapter id="privileges">
<title>Privileges and Permissions</title>
<para>When a user is logged into Cockpit, they are logged into a normal session
that has exactly the same privileges as if they logged in via SSH or on
the console.</para>
<para>In some cases Cockpit will try to escalate the privileges of the user
using <ulink url="https://www.freedesktop.org/wiki/Software/polkit/">Policy Kit</ulink>
or <ulink url="https://www.sudo.ws/">sudo</ulink>. If the user is able to escalate
privileges from the command line, then Cockpit will use that same capability to
perform certain privileged tasks.</para>
<para>Cockpit can use the user's login password internally to escalate privileges
in these situations. By selecting the
<emphasis>Reuse my password for privileged tasks</emphasis> option on the login screen
the login password will be cached internally and passed to <emphasis>Policy Kit</emphasis>
when requested in order to escalate privileges.</para>
<para>To test out whether Cockpit can escalate privileges, you can run these commands
from a the <link linkend="feature-terminal">terminal built into Cockpit</link>.</para>
<programlisting>
$ sudo cockpit-bridge
...
$ pkexec cockpit-bridge
...
</programlisting>
<para>If either of these commands succeed without prompting for a password,
Cockpit will be able to start a privileged copy of the
<filename>cockpit-bridge</filename> and use it to perform privileged tasks
when necessary.</para>
<para>Usually a user needs to be in the <code>wheel</code> Unix user group for the
user to be able to escalate privileges in this way. However both Policy Kit and
sudo may be configured to use other criteria.</para>
<section id="privileges-polkit">
<title>Customizing Polkit Privileges</title>
<para>Services like <ulink url="https://www.freedesktop.org/wiki/Software/systemd/">systemd</ulink>
and <ulink url="https://wiki.gnome.org/Projects/NetworkManager">NetworkManager</ulink> use
<ulink url="https://www.freedesktop.org/wiki/Software/polkit/">Polkit</ulink> to
validate and escalate privileges. It is possible to customize these rules with files
in <filename>/etc/polkit-1/rules.d</filename>.</para>
<para>Polkit rules files are
<ulink url="https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html">javascript with specific methods and objects</ulink>. For example, placing the following polkit rule to
<filename>/etc/polkit-1.rules.d/10-operators.rule</filename> allows all users in the
<code>operators</code> group to start, stop, restart and otherwise manage systemd services:</para>
<programlisting>
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units") {
if (subject.isInGroup("operators")) {
return polkit.Result.YES;
}
}
});
</programlisting>
<para>In order to allow a certain group to perform any administrative action you could add
a rule like this:</para>
<programlisting>
polkit.addAdminRule(function(action, subject) {
return ["unix-group:operators"];
});
</programlisting>
</section>
</chapter>
|
