Bug 1395645

Summary: cockpit web interface ignores sudo rules when stop/stop services via services -> <name>.services
Product: Red Hat Enterprise Linux 7 Reporter: Ming Davies <minyu>
Component: cockpitAssignee: Dominik Perpeet <dperpeet>
Status: CLOSED NOTABUG QA Contact: qe-baseos-daemons
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: dperpeet
Target Milestone: rcKeywords: Extras
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-18 16:47:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Ming Davies 2016-11-16 10:56:38 UTC 
Description of problem:

Define the following sudo rules in IPA:
dn: cn=sudo-manipulate-application-directory,ou=sudoers,dc=testrelm,dc=test
sudoUser: test-user
sudoRunAsGroup: ALL
objectClass: sudoRole
objectClass: top
sudoOption: !authenticate   <<<<<<<<<<<<<<<
sudoOption: !requiretty
sudoCommand: /bin/chmod *[]* /data/*[]*
sudoCommand: /bin/chown *[]* /data/*[]*
sudoCommand: /bin/mkdir /data/*
sudoCommand: /bin/rm -Rf /data/*[]*
sudoCommand: /usr/bin/systemctl restart goferd
sudoCommand: /bin/systemctl restart goferd
sudoCommand: /usr/bin/systemctl restart rsyslog
sudoCommand: /usr/bin/systemctl start rsyslog
sudoCommand: /usr/bin/systemctl stop rsyslog
sudoCommand: !/bin/chown *[]* /data/* *
sudoCommand: !/bin/chown *[]* /data/*..*
sudoCommand: !/bin/mkdir /data/* *
sudoCommand: !/bin/mkdir /data/*..*
sudoCommand: !/bin/rm -Rf /data/* *
sudoCommand: !/bin/rm -Rf /data/*..*
sudoCommand: !/bin/rm -Rf /data/backups
sudoCommand: !/bin/rm -Rf /data/log
sudoCommand: !/bin/rm -Rf /data/spool
sudoRunAsUser: ALL
sudoHost: ALL
cn: sudo-manipulate-application-directory


No password is required when issuing the following command as the test-user:
sudo /usr/bin/systemctl stop rsyslog

Same thing when using the terminal within the cockpit web interface.

However, the user is faced with: "Error Interactive authentication required" message when attempt to start/stop syslog via  Services -> rsyslog.service on the cockpit web interface. Is this an expected behavior?


Version-Release number of selected component (if applicable):
cockpit-ws-118-2.el7.x86_64
cockpit-shell-118-2.el7.noarch
cockpit-docker-118-2.el7.x86_64
cockpit-storaged-118-2.el7.noarch
cockpit-118-2.el7.x86_64
cockpit-bridge-118-2.el7.x86_64

How reproducible:


Steps to Reproduce:
1. Define the above sudo rules in IPA replica
2. log onto a IPA client as the "test user", issuing "sudo /usr/bin/systemctl stop/start rsyslog" should all work
3. now log onto cockpit installed on the IPA client as the "test-user", attempt to start/stop rsyslog by browsing to services-> rsyslog.service, you can see the error

Actual results:


Expected results:


Additional info:
Comment 3 Dominik Perpeet 2016-11-18 16:47:50 UTC 
Cockpit doesn't use the command line interface to systemd, but the DBUS API [1]. Therefore adding sudo rules for systemctl commands won't affect Cockpit.

Please ensure the permissions for the user are set correctly.


[1] https://www.freedesktop.org/wiki/Software/systemd/dbus/
Note:
In contrast to most of the other services of the systemd suite PID 1 does not use PolicyKit for controlling access to privileged operations, but relies exclusively on the low-level D-Bus policy language. (This is done in order to avoid a cyclic dependency between PolicyKit and systemd/PID 1.) This means that sensitive operations exposed by PID 1 on the bus are generally not available to unprivileged processes directly. However some (such as shutdown/reboot/suspend) are made available via logind's interfaces.