Bug 1395645 - cockpit web interface ignores sudo rules when stop/stop services via services -> <name>.services
Summary: cockpit web interface ignores sudo rules when stop/stop services via services...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: cockpit
Version: 7.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Dominik Perpeet
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-16 10:56 UTC by Ming Davies
Modified: 2020-01-17 16:11 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-18 16:47:50 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Ming Davies 2016-11-16 10:56:38 UTC 
Description of problem:

Define the following sudo rules in IPA:
dn: cn=sudo-manipulate-application-directory,ou=sudoers,dc=testrelm,dc=test
sudoUser: test-user
sudoRunAsGroup: ALL
objectClass: sudoRole
objectClass: top
sudoOption: !authenticate   <<<<<<<<<<<<<<<
sudoOption: !requiretty
sudoCommand: /bin/chmod *[]* /data/*[]*
sudoCommand: /bin/chown *[]* /data/*[]*
sudoCommand: /bin/mkdir /data/*
sudoCommand: /bin/rm -Rf /data/*[]*
sudoCommand: /usr/bin/systemctl restart goferd
sudoCommand: /bin/systemctl restart goferd
sudoCommand: /usr/bin/systemctl restart rsyslog
sudoCommand: /usr/bin/systemctl start rsyslog
sudoCommand: /usr/bin/systemctl stop rsyslog
sudoCommand: !/bin/chown *[]* /data/* *
sudoCommand: !/bin/chown *[]* /data/*..*
sudoCommand: !/bin/mkdir /data/* *
sudoCommand: !/bin/mkdir /data/*..*
sudoCommand: !/bin/rm -Rf /data/* *
sudoCommand: !/bin/rm -Rf /data/*..*
sudoCommand: !/bin/rm -Rf /data/backups
sudoCommand: !/bin/rm -Rf /data/log
sudoCommand: !/bin/rm -Rf /data/spool
sudoRunAsUser: ALL
sudoHost: ALL
cn: sudo-manipulate-application-directory


No password is required when issuing the following command as the test-user:
sudo /usr/bin/systemctl stop rsyslog

Same thing when using the terminal within the cockpit web interface.

However, the user is faced with: "Error Interactive authentication required" message when attempt to start/stop syslog via  Services -> rsyslog.service on the cockpit web interface. Is this an expected behavior?


Version-Release number of selected component (if applicable):
cockpit-ws-118-2.el7.x86_64
cockpit-shell-118-2.el7.noarch
cockpit-docker-118-2.el7.x86_64
cockpit-storaged-118-2.el7.noarch
cockpit-118-2.el7.x86_64
cockpit-bridge-118-2.el7.x86_64

How reproducible:


Steps to Reproduce:
1. Define the above sudo rules in IPA replica
2. log onto a IPA client as the "test user", issuing "sudo /usr/bin/systemctl stop/start rsyslog" should all work
3. now log onto cockpit installed on the IPA client as the "test-user", attempt to start/stop rsyslog by browsing to services-> rsyslog.service, you can see the error

Actual results:


Expected results:


Additional info:
Comment 3 Dominik Perpeet 2016-11-18 16:47:50 UTC 
Cockpit doesn't use the command line interface to systemd, but the DBUS API [1]. Therefore adding sudo rules for systemctl commands won't affect Cockpit.

Please ensure the permissions for the user are set correctly.


[1] https://www.freedesktop.org/wiki/Software/systemd/dbus/
Note:
In contrast to most of the other services of the systemd suite PID 1 does not use PolicyKit for controlling access to privileged operations, but relies exclusively on the low-level D-Bus policy language. (This is done in order to avoid a cyclic dependency between PolicyKit and systemd/PID 1.) This means that sensitive operations exposed by PID 1 on the bus are generally not available to unprivileged processes directly. However some (such as shutdown/reboot/suspend) are made available via logind's interfaces.
Note You need to log in before you can comment on or make changes to this bug.