Customer provided the following information in their case:

We want the user of our system to only be able to run a very specific subset of commands (execute a strictly defined subset of actions). Since Cockpit does not provide access granularity, we expose features by means of D-Bus and control the user permissions at D-Bus level.

In order to prevent the arbitrary command execution, we use fapolicyd and only add specific exceptions for the cockpit core executables that are needed for the Cockpit itself to run. The calls that are allowed for the user are exposed via D-Bus and executed via cockpit.dbus(). The user is unable to successfully execute arbitrary commands due to fapolicyd.

However, it would be much nicer to be able to disallow the arbitrary command call completely, by preventing the user from spawning any direct commands with cockpit.spawn(). This could be made available in a form of a configuration parameter in cockpit.conf which would make the cockpit.spawn() API call unavailable. In such a case, tailoring and maintaining the fapolicyd rules to achieve prevention from arbitrary command calls would not be required.

This feature request is filed with awareness that some features of Cockpit, like the password change, currently use cockpit.spawn() themselves.

Describe the impact to you or the business
Lack of this requested feature required us to maintain an additional workaround component (minor effort).