Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-140870

Cockpit Privilege escalation with custom polkit rule for non root user not working

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Minor Minor
    • None
    • rhel-10.1, rhel-9.7
    • cockpit
    • None
    • Low
    • rhel-cockpit
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      Cockpit installed on RHEL9.7 and RHEL10.1 does not respects polkit rules added. While we see SSH connection do respect these rules but not the cockpit. It seems that this is more of an RFE but few Document suggests this should work.

      Below is the example rule added in polkit to manage oprator users to manage timedate related options in cockpit

       

      File: /etc/polkit-1/rules.d/99-custom.rules
Content:
/* Allow members of the 'operator' group to set NTP without a password */
polkit.addRule(function(action, subject) {
if (action.id.startsWith("org.freedesktop.timedate1.") &&
subject.isInGroup("operator")) {
return polkit.Result.YES;
}
});

       

      Here it was expected that user will get access to change the date and time without sudo escalation in cockpit UI > Overview> Configuration > Date (its not clickable for operator user normally and even after adding above polkit rule.)

       

      Below guide also does not work for all kind of administrative tasks for operator user.

      https://cockpit-project.org/guide/latest/privileges.html#privileges-polkit

      Only time it works is when we run user as sudo which customer is not desiring.

       

      The only way to perform any action is to have the user in the wheel group so that I can escalate to Administrative access.

      Cockpit states that "When a user is logged into Cockpit, they are logged into a normal session that has exactly the same privileges as if they logged in via SSH or on the console.".

      What is the impact of this issue to you?

      Impacts our customers since they would use the console with a smaller administrative footprint.

      Please provide the package NVR for which the bug is seen:

      cockpit-344-1.el10.x86_64

      cockpit-344-1.el9.x86_64

      How reproducible is this bug?:

      Always

      Steps to reproduce

      1. Create operator user
      2. Follow steps mentioned here: https://cockpit-project.org/guide/latest/privileges.html#privileges-polkit 
        OR Use rule given in Jira above.
      3. There is one issue in above doc, Extension of polkit rules should be "rules" not "rule"
      4. Restart polkit and cockpit after changes and login as operator and confirm if things works without switching to sudo access.

      Expected results

      Operator user should get administrative access

      Actual results

      No changes are seen in cockpit but in SSH we have access for mentioned rules.

              jira-bugzilla-migration RH Bugzilla Integration
              rhn-support-smahanga Shreyas Mahangade
              RH Bugzilla Integration RH Bugzilla Integration
              Jan Scotka Jan Scotka
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated: