Bug 2091034
| Summary: | [RFE] Support other tools for administrative task (except sudo) | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Oliver Ilian <oliver> |
| Component: | cockpit | Assignee: | Martin Pitt <mpitt> |
| Status: | CLOSED ERRATA | QA Contact: | Jan Ščotka <jscotka> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.6 | CC: | mmarusak, mvollmer, sbarcomb |
| Target Milestone: | rc | Keywords: | FutureFeature, Triaged |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | cockpit-275-1.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-11-08 10:48:03 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Oliver Ilian
2022-05-27 11:54:07 UTC
(In reply to Oliver Ilian from comment #0) > Therefore, this question/request is to see if it is possible to have Cockpit > use a custom or third-party way of privileges elevation. In general, this is a very reasonable request. Cockpit has the infrastructure in place to configure alternative methods to start a "privileged bridge" (which is the process that will carry out privileged tasks). Cockpit ships with two such methods already configured in "/usr/share/cockpit/shell/manifest.json", and more can be added. However, the current UI of Cockpit is only able to use the "sudo" configuration. Other methods, including the pre-installed "pkexec" one, can not be activated, and have not been tested for some time. Thus, enhancing Cockpit to support arbitrary privilege escalation methods is well within reach, but requires some development effort in Cockpit itself. Can you point to an example of how BoKS is used, such as for running "dnf update" on the terminal? (In reply to Marius Vollmer from comment #2) > Can you point to an example of how BoKS is used, such as for running "dnf update" on the terminal? Hi Marius, that sounds very promising. The customer replied with an example: **** A normal way for a user that has 'sudo all' would be to use something like: sx su - root -c "yum check-updates" Our users would define 'access rules" for the Non-Personal Accounts, and for instance, a Non-Personal Account that can perform any command with root permissions would get a rule as: /bin/su - root -c * Effectively means any command (hence the * wildcard). **** Does that help or would you need more information? (In reply to Oliver Ilian from comment #3) > (In reply to Marius Vollmer from comment #2) > > A normal way for a user that has 'sudo all' would be to use something like: > sx su - root -c "yum check-updates" I see. Users who want to have admin access in Cockpit would have to allow something like sx su - root -c "cockpit-bridge --privileged" > Does that help or would you need more information? It would be interesting to see a full interaction. Are there any prompts, for example? And of course, documentation for BoKS and "sx" would be interesting. I think we need to experiment a bit if we want to make concrete plans... Can we get access to a box that has "sx" on it? Or can you build/run custom versions of Cockpit? This is probably as easy as unpacking a tarball that I give you into ~/.local/share/cockpit/. (In reply to Marius Vollmer from comment #4) > It would be interesting to see a full interaction. Are there any prompts, > for example? And of course, documentation for BoKS and "sx" would be > interesting. > > I think we need to experiment a bit if we want to make concrete plans... Can > we get access to a box that has "sx" on it? Or can you build/run custom > versions of Cockpit? This is probably as easy as unpacking a tarball that I > give you into ~/.local/share/cockpit/. The customer offered that we can have a video conference and share their screen to show the process. I do not have a system with sx installed or the documentation. Would you be interested in a video call? > Would you be interested in a video call?
Yeah, why not. A screen recording of someone running "sx su - root -c 'yum check-updates'" to completion would also be fine.
Just to set expectations: I don't think this will result in Cockpit officially supporting BoKS, but Cockpit could support "3rd party privilege escalation tools" and the customer would have to figure out how to translate the sx prompts (if there are any) into the Cockpit "auth" protocol messages, similar to what /usr/libexec/cockpit-pass does for sudo.
I have filed https://issues.redhat.com/browse/COCKPIT-863 for future planning. This has been implemented in upstream: https://github.com/cockpit-project/cockpit/pull/17536 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (cockpit bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:7718 |