File: privileges.xml

package info (click to toggle)
cockpit 239-1
  • links: PTS, VCS
  • area: main
  • in suites: bullseye
  • size: 67,268 kB
  • sloc: javascript: 245,474; ansic: 72,273; python: 23,634; xml: 6,155; sh: 2,919; makefile: 923; sed: 5
file content (64 lines) | stat: -rw-r--r-- 2,877 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
 
<?xml version="1.0"?>
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
	"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
<chapter id="privileges">
  <title>Privileges and Permissions</title>

  <para>When a user is logged into Cockpit, they are logged into a normal session
    that has exactly the same privileges as if they logged in via SSH or on
    the console.</para>

  <para>However, Cockpit will usually try to escalate the privileges
  of the user using <ulink
  url="https://www.freedesktop.org/wiki/Software/polkit/">Policy
  Kit</ulink> or <ulink url="https://www.sudo.ws/">sudo</ulink>. If
  the user is able to escalate privileges from the command line by
  typing in their password again (or without typing in any password),
  then Cockpit will be able to escalate the privileges of the session
  to "root" immediately upon login.</para>

  <para>The user can change the privileges of a session from within
  that session, via the "Administrative access" indicator in the top
  bar.  From that indicator, the user can drop "root" privileges and
  regain them.  On the next login, Cockpit will give the session the
  same privileges.</para>

  <para>Usually a user needs to be in the <code>wheel</code> Unix user group for the
    user to be able to escalate privileges in this way. However both Policy Kit and
    sudo may be configured to use other criteria.</para>

  <section id="privileges-polkit">
    <title>Customizing Polkit Privileges</title>

    <para>Services like <ulink url="https://www.freedesktop.org/wiki/Software/systemd/">systemd</ulink>
      and <ulink url="https://wiki.gnome.org/Projects/NetworkManager">NetworkManager</ulink> use
      <ulink url="https://www.freedesktop.org/wiki/Software/polkit/">Polkit</ulink> to
      validate and escalate privileges. It is possible to customize these rules with files
      in <filename>/etc/polkit-1/rules.d</filename>.</para>

    <para>Polkit rules files are
      <ulink url="https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html">javascript with specific methods and objects</ulink>. For example, placing the following polkit rule to
      <filename>/etc/polkit-1.rules.d/10-operators.rule</filename> allows all users in the
      <code>operators</code> group to start, stop, restart and otherwise manage systemd services:</para>

<programlisting>
polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.systemd1.manage-units") {
        if (subject.isInGroup("operators")) {
            return polkit.Result.YES;
        }
    }
});
</programlisting>

    <para>In order to allow a certain group to perform any administrative action you could add
      a rule like this:</para>

<programlisting>
polkit.addAdminRule(function(action, subject) {
    return ["unix-group:operators"];
});
</programlisting>

  </section>
</chapter>