cockpit: fix sudo login (#398885)

thiagokokada · web-flow · commit 36e3893392b1 · 2025-04-15T18:01:30.000+01:00
diff --git a/nixos/modules/services/monitoring/cockpit.nix b/nixos/modules/services/monitoring/cockpit.nix
@@ -12,7 +12,6 @@ let
     mkEnableOption
     mkOption
     mkIf
-    literalMD
     mkPackageOption
     ;
   settingsFormat = pkgs.formats.ini { };
@@ -26,6 +25,18 @@ in
         default = [ "cockpit" ];
       };
 
+      allowed-origins = lib.mkOption {
+        type = types.listOf types.str;
+
+        default = [ ];
+
+        description = ''
+          List of allowed origins.
+
+          Maps to the WebService.Origins setting and allows merging from multiple modules.
+        '';
+      };
+
       settings = lib.mkOption {
         type = settingsFormat.type;
 
@@ -62,14 +73,16 @@ in
     # generate cockpit settings
     environment.etc."cockpit/cockpit.conf".source = settingsFormat.generate "cockpit.conf" cfg.settings;
 
-    security.pam.services.cockpit = { };
+    security.pam.services.cockpit = {
+      startSession = true;
+    };
 
     networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ];
 
     systemd.packages = [ cfg.package ];
     systemd.sockets.cockpit.wantedBy = [ "multi-user.target" ];
     systemd.sockets.cockpit.listenStreams = [
-      ""
+      "" # workaround so it doesn't listen on both ports caused by the runtime merging
       (toString cfg.port)
     ];
 
@@ -80,6 +93,13 @@ in
       "L+ /run/cockpit/motd - - - - inactive.motd"
       "d /etc/cockpit/ws-certs.d 0600 root root 0"
     ];
+
+    services.cockpit.allowed-origins = [
+      "https://localhost:${toString config.services.cockpit.port}"
+    ];
+
+    services.cockpit.settings.WebService.Origins =
+      builtins.concatStringsSep " " config.services.cockpit.allowed-origins;
   };
 
   meta.maintainers = pkgs.cockpit.meta.maintainers;
diff --git a/nixos/tests/cockpit.nix b/nixos/tests/cockpit.nix
@@ -23,11 +23,9 @@ import ./make-test-python.nix (
             enable = true;
             port = 7890;
             openFirewall = true;
-            settings = {
-              WebService = {
-                Origins = "https://server:7890";
-              };
-            };
+            allowed-origins = [
+              "https://server:${toString config.services.cockpit.port}"
+            ];
           };
         };
       client =
@@ -123,10 +121,14 @@ import ./make-test-python.nix (
                     assert "Web console is running in limited access mode" in driver.page_source
 
                     log("Clicking the sudo button")
+                    for button in driver.find_elements(By.TAG_NAME, "button"):
+                        if 'admin' in button.text:
+                            button.click()
                     driver.switch_to.default_content()
-                    driver.find_element(By.CSS_SELECTOR, 'button.ct-locked').click()
+
                     log("Checking that /nonexistent is not a thing")
                     assert '/nonexistent' not in driver.page_source
+                    assert len(driver.find_elements(By.CSS_SELECTOR, '#machine-reconnect')) == 0
 
                     driver.close()
                   '';
diff --git a/pkgs/by-name/co/cockpit/package.nix b/pkgs/by-name/co/cockpit/package.nix
@@ -14,7 +14,9 @@
   git,
   glib,
   glib-networking,
+  gnused,
   gnutls,
+  iproute2,
   json-glib,
   krb5,
   libssh,
@@ -33,6 +35,7 @@
   systemd,
   udev,
   xmlto,
+  which,
 }:
 
 stdenv.mkDerivation (finalAttrs: {
@@ -63,6 +66,7 @@ stdenv.mkDerivation (finalAttrs: {
     python3Packages.setuptools
     systemd
     xmlto
+    which
   ];
 
   buildInputs = [
@@ -93,6 +97,9 @@ stdenv.mkDerivation (finalAttrs: {
     substituteInPlace src/common/cockpitconf.c \
       --replace-fail 'const char *cockpit_config_dirs[] = { PACKAGE_SYSCONF_DIR' 'const char *cockpit_config_dirs[] = { "/etc"'
 
+    substituteInPlace src/**/*.c \
+      --replace '"/bin/sh"' "\"$(which sh)\""
+
     # instruct users with problems to create a nixpkgs issue instead of nagging upstream directly
     substituteInPlace configure.ac \
       --replace-fail 'devel@lists.cockpit-project.org' 'https://github.com/NixOS/nixpkgs/issues/new?assignees=&labels=0.kind%3A+bug&template=bug_report.md&title=cockpit%25'
@@ -165,8 +172,21 @@ stdenv.mkDerivation (finalAttrs: {
       } \
       --run 'cd $(mktemp -d)'
 
-    wrapProgram $out/bin/cockpit-bridge \
-      --prefix PYTHONPATH : $out/${python3Packages.python.sitePackages}
+    for binary in $out/bin/cockpit-bridge $out/libexec/cockpit-askpass; do
+      chmod +x $binary
+      wrapProgram $binary \
+        --prefix PYTHONPATH : $out/${python3Packages.python.sitePackages}
+    done
+
+    patchShebangs $out/share/cockpit/issue/update-issue
+    wrapProgram $out/share/cockpit/issue/update-issue \
+      --prefix PATH : ${
+        lib.makeBinPath [
+          iproute2
+          gnused
+        ]
+      }
+
 
     substituteInPlace $out/${python3Packages.python.sitePackages}/cockpit/_vendor/systemd_ctypes/libsystemd.py \
       --replace-warn libsystemd.so.0 ${systemd}/lib/libsystemd.so.0
