forked from cockpit-project/cockpit-project.github.io
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathprivileges.html
More file actions
78 lines (78 loc) · 4.48 KB
/
privileges.html
File metadata and controls
78 lines (78 loc) · 4.48 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
---
layout: guide
---
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Privileges and Permissions</title>
<meta name="generator" content="DocBook XSL Stylesheets Vsnapshot">
<link rel="home" href="index.html" title="Cockpit Guide">
<link rel="up" href="guide.html" title="Part I. Deployment Guide">
<link rel="prev" href="cert-authentication.html" title="Certificate/smart card authentication">
<link rel="next" href="features.html" title="Part II. Feature Internals">
<link rel="stylesheet" href="style.css" type="text/css">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<table class="navigation" id="top" width="100%" summary="Navigation header" cellpadding="2" cellspacing="2"><tr valign="middle">
<td><a accesskey="p" href="cert-authentication.html"><img src="left.png" width="24" height="24" border="0" alt="Prev"></a></td>
<td><a accesskey="u" href="guide.html"><img src="up.png" width="24" height="24" border="0" alt="Up"></a></td>
<td><a accesskey="h" href="index.html"><img src="home.png" width="24" height="24" border="0" alt="Home"></a></td>
<th width="100%" align="center">Cockpit Guide</th>
<td><a accesskey="n" href="features.html"><img src="right.png" width="24" height="24" border="0" alt="Next"></a></td>
</tr></table>
<div class="chapter">
<div class="titlepage"><div><div><h2 class="title">
<a name="privileges"></a>Privileges and Permissions</h2></div></div></div>
<div class="toc"><dl class="toc"><dt><span class="section"><a href="privileges.html#privileges-polkit">Customizing Polkit Privileges</a></span></dt></dl></div>
<p>When a user is logged into Cockpit, they are logged into a normal session
that has exactly the same privileges as if they logged in via SSH or on
the console.</p>
<p>However, Cockpit will usually try to escalate the privileges
of the user using <a class="ulink" href="https://www.freedesktop.org/wiki/Software/polkit/" target="_top">Policy
Kit</a> or <a class="ulink" href="https://www.sudo.ws/" target="_top">sudo</a>. If
the user is able to escalate privileges from the command line by
typing in their password again (or without typing in any password),
then Cockpit will be able to escalate the privileges of the session
to "root" immediately upon login.</p>
<p>The user can change the privileges of a session from within
that session, via the "Administrative access" indicator in the top
bar. From that indicator, the user can drop "root" privileges and
regain them. On the next login, Cockpit will give the session the
same privileges.</p>
<p>Usually a user needs to be in the <code class="code">wheel</code> Unix user group for the
user to be able to escalate privileges in this way. However both Policy Kit and
sudo may be configured to use other criteria.</p>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="privileges-polkit"></a>Customizing Polkit Privileges</h2></div></div></div>
<p>Services like <a class="ulink" href="https://www.freedesktop.org/wiki/Software/systemd/" target="_top">systemd</a>
and <a class="ulink" href="https://wiki.gnome.org/Projects/NetworkManager" target="_top">NetworkManager</a> use
<a class="ulink" href="https://www.freedesktop.org/wiki/Software/polkit/" target="_top">Polkit</a> to
validate and escalate privileges. It is possible to customize these rules with files
in <code class="filename">/etc/polkit-1/rules.d</code>.</p>
<p>Polkit rules files are
<a class="ulink" href="https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html" target="_top">javascript with specific methods and objects</a>. For example, placing the following polkit rule to
<code class="filename">/etc/polkit-1/rules.d/10-operators.rule</code> allows all users in the
<code class="code">operators</code> group to start, stop, restart and otherwise manage systemd services:</p>
<pre class="programlisting">
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units") {
if (subject.isInGroup("operators")) {
return polkit.Result.YES;
}
}
});
</pre>
<p>In order to allow a certain group to perform any administrative action you could add
a rule like this:</p>
<pre class="programlisting">
polkit.addAdminRule(function(action, subject) {
return ["unix-group:operators"];
});
</pre>
</div>
</div>
<div class="footer"><hr></div>
</body>
</html>