I faced a strange behavior with cockpit login and root privilege escalation but I can't say if it's a bug or not. I hope somebody can help me and shed some light on it!
**Steps to reproduce** - installed centos 7 minimal and cockpit 183, realmd and deps - joined AD (Windows Server 2012 R2) with realmd - added "default_domain_suffix = adnethesis.it" to sssd.conf, because I'd like to login without domain suffix - I put "[email protected]" into the wheel group so it can become root with pkexec or sudo - At cockpit login, set "Reuse my password for privileged tasks" The sssd.conf man page states about "default_domain_suffix": > The option allows those users to log in just with their user name without giving a domain name as well Good, but the line below seems to contradict it: > Please note that if this option is set all users from the primary domain have to use their fully qualified name, e.g. [email protected], to log in. ...I'm not sure my expectation is correct anymore (!) **Expected behavior** If I login in cockpit as "davidep" I can become root with "pkexec bash". **What happens instead** The login as "davidep" succeedes but I cannot gain root privileges: pkexec fails. If I login as "[email protected]" it works as expected. **Additional information** [root@vm9 ~]# id davidep uid=1541401112([email protected]) gid=1541400513(domain [email protected]) groups=1541400513(domain [email protected] ),10(wheel),1541400512(domain [email protected]),1541401115( [email protected]),1541400572(ogg. non autoriz. a replica passw. in controller sola [email protected]) Full sssd.conf: [root@vm9 ~]# cat /etc/sssd/sssd.conf [sssd] domains = adnethesis.it config_file_version = 2 services = nss, pam #davidep: default_domain_suffix = adnethesis.it [domain/adnethesis.it] ad_domain = adnethesis.it krb5_realm = ADNETHESIS.IT realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%u@%d access_provider = ad If I login as "davidep" it fails. journalctl -f: Feb 26 09:24:56 vm9.adnethesis.it cockpit-session[3586]: pam_sss(cockpit:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost=192.168.122.1 user=davidep Feb 26 09:24:57 vm9.adnethesis.it cockpit-session[3586]: pam_ssh_add: Failed adding some keys Feb 26 09:24:57 vm9.adnethesis.it systemd[1]: Created slice User Slice of [email protected]. Feb 26 09:24:57 vm9.adnethesis.it cockpit-session[3586]: pam_unix(cockpit:session): session opened for user davidep by (uid=0) Feb 26 09:24:57 vm9.adnethesis.it systemd[1]: Started Session 2 of user [email protected]. Feb 26 09:24:57 vm9.adnethesis.it systemd-logind[3049]: New session 2 of user [email protected]. Feb 26 09:24:57 vm9.adnethesis.it polkitd[2896]: Registered Authentication Agent for unix-session:2 (system bus name :1.35 [cockpit-bridge], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) Feb 26 09:24:57 vm9.adnethesis.it cockpit-ws[3558]: logged in user session Feb 26 09:24:57 vm9.adnethesis.it cockpit-ws[3558]: New connection to session from 192.168.122.1 Feb 26 09:24:58 vm9.adnethesis.it dbus[2891]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus-org.freedesktop.hostname1.service' Feb 26 09:24:58 vm9.adnethesis.it systemd[1]: Starting Hostname Service... Feb 26 09:24:58 vm9.adnethesis.it dbus[2891]: [system] Successfully activated service 'org.freedesktop.hostname1' Feb 26 09:24:58 vm9.adnethesis.it systemd[1]: Started Hostname Service. Feb 26 09:24:58 vm9.adnethesis.it dbus[2891]: [system] Activating via systemd: service name='org.freedesktop.timedate1' unit='dbus-org.freedesktop.timedate1.service' Feb 26 09:24:58 vm9.adnethesis.it dbus[2891]: [system] Activating via systemd: service name='org.freedesktop.realmd' unit='realmd.service' Feb 26 09:24:58 vm9.adnethesis.it systemd[1]: Starting Realm and Domain Configuration... Feb 26 09:24:58 vm9.adnethesis.it systemd[1]: Starting Time & Date Service... Feb 26 09:24:58 vm9.adnethesis.it realmd[3614]: Loaded settings from: /usr/lib64/realmd/realmd-defaults.conf /usr/lib64/realmd/realmd-distro.conf Feb 26 09:24:58 vm9.adnethesis.it realmd[3614]: holding daemon: startup Feb 26 09:24:58 vm9.adnethesis.it realmd[3614]: starting service Feb 26 09:24:58 vm9.adnethesis.it dbus[2891]: [system] Successfully activated service 'org.freedesktop.timedate1' Feb 26 09:24:58 vm9.adnethesis.it systemd[1]: Started Time & Date Service. Feb 26 09:24:58 vm9.adnethesis.it realmd[3614]: connected to bus Feb 26 09:24:58 vm9.adnethesis.it realmd[3614]: released daemon: startup Feb 26 09:24:58 vm9.adnethesis.it dbus[2891]: [system] Successfully activated service 'org.freedesktop.realmd' Feb 26 09:24:58 vm9.adnethesis.it systemd[1]: Started Realm and Domain Configuration. Feb 26 09:24:58 vm9.adnethesis.it realmd[3614]: claimed name on bus: org.freedesktop.realmd Feb 26 09:24:58 vm9.adnethesis.it realmd[3614]: client using service: :1.38 Feb 26 09:24:58 vm9.adnethesis.it realmd[3614]: holding daemon: :1.38 Feb 26 09:24:58 vm9.adnethesis.it polkit-agent-helper-1[3619]: pam_sss(polkit-1:auth): authentication failure; logname= uid=1541401112 euid=0 tty= [email protected] rhost= [email protected] Feb 26 09:24:58 vm9.adnethesis.it polkit-agent-helper-1[3619]: pam_sss(polkit-1:auth): received for user [email protected]: 7 (Authentication failure) Feb 26 09:25:01 vm9.adnethesis.it cockpit-bridge[3591]: polkit-agent-helper-1: pam_authenticate failed: Authentication failure Feb 26 09:25:01 vm9.adnethesis.it polkitd[2896]: Operator of unix-session:2 FAILED to authenticate to gain authorization for action org.freedesktop.policykit.exec for unix-process:3591:9221 [cockpit-bridge] (owned by unix-user:[email protected]) Feb 26 09:25:01 vm9.adnethesis.it cockpit-bridge[3591]: Error executing command as another user: Not authorized Feb 26 09:25:01 vm9.adnethesis.it cockpit-bridge[3591]: This incident has been reported. Feb 26 09:25:01 vm9.adnethesis.it pkexec[3608]: [email protected]: Error executing command as another user: Not authorized [USER=root] [TTY=unknown] [CWD=/run/user/1541401112] [COMMAND=/usr/bin/cockpit-bridge --privileged] Feb 26 09:25:01 vm9.adnethesis.it sudo[3620]: pam_sss(sudo:auth): authentication failure; [email protected] uid=1541401112 euid=0 tty= [email protected] rhost= [email protected] Feb 26 09:25:01 vm9.adnethesis.it sudo[3620]: pam_sss(sudo:auth): received for user [email protected]: 7 (Authentication failure) Feb 26 09:25:03 vm9.adnethesis.it cockpit-bridge[3591]: Sorry, try again. Feb 26 09:25:03 vm9.adnethesis.it sudo[3620]: pam_sss(sudo:auth): authentication failure; [email protected] uid=1541401112 euid=0 tty= [email protected] rhost= [email protected] Feb 26 09:25:03 vm9.adnethesis.it sudo[3620]: pam_sss(sudo:auth): received for user [email protected]: 7 (Authentication failure) Feb 26 09:25:05 vm9.adnethesis.it cockpit-bridge[3591]: Sorry, try again. Feb 26 09:25:05 vm9.adnethesis.it sudo[3620]: pam_sss(sudo:auth): authentication failure; [email protected] uid=1541401112 euid=0 tty= [email protected] rhost= [email protected] Feb 26 09:25:05 vm9.adnethesis.it sudo[3620]: pam_sss(sudo:auth): received for user [email protected]: 7 (Authentication failure) Feb 26 09:25:07 vm9.adnethesis.it sudo[3620]: [email protected] : 3 incorrect password attempts ; TTY=unknown ; PWD=/run/user/1541401112 ; USER=root ; COMMAND=/bin/cockpit-bridge --privileged Feb 26 09:25:07 vm9.adnethesis.it cockpit-bridge[3591]: sudo: 3 incorrect password attempts Feb 26 09:25:25 vm9.adnethesis.it cockpit-ws[3558]: cockpit-session: session timed out during authentication Feb 26 09:25:25 vm9.adnethesis.it cockpit-ws[3558]: cockpit-session: didn't receive expected "authorize" message Feb 26 09:25:25 vm9.adnethesis.it cockpit-ws[3558]: cockpit-session: authentication timed out Feb 26 09:25:25 vm9.adnethesis.it cockpit-ws[3558]: ignoring failure from session process: Authentication failed: Timeout If I go to Cockpit Terminal and try to become root: [[email protected]@vm9 ~]$ pkexec bash Error executing command as another user: Not authorized This incident has been reported. [[email protected]@vm9 ~]$ But if I login as "[email protected]" it succeeds. journalctl -f: Feb 26 09:56:15 vm9.adnethesis.it systemd[1]: Starting Cockpit Web Service... Feb 26 09:56:15 vm9.adnethesis.it systemd[1]: Started Cockpit Web Service. Feb 26 09:56:15 vm9.adnethesis.it cockpit-ws[5263]: Using certificate: /etc/cockpit/ws-certs.d/0-self-signed.cert Feb 26 09:56:15 vm9.adnethesis.it cockpit-session[5267]: pam_sss(cockpit:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost=192.168.122.1 [email protected] Feb 26 09:56:15 vm9.adnethesis.it cockpit-session[5267]: pam_ssh_add: Failed adding some keys Feb 26 09:56:15 vm9.adnethesis.it systemd[1]: Created slice User Slice of [email protected]. Feb 26 09:56:15 vm9.adnethesis.it systemd[1]: Started Session 3 of user [email protected]. Feb 26 09:56:15 vm9.adnethesis.it cockpit-session[5267]: pam_unix(cockpit:session): session opened for user [email protected] by (uid=0) Feb 26 09:56:15 vm9.adnethesis.it systemd-logind[3049]: New session 3 of user [email protected]. Feb 26 09:56:16 vm9.adnethesis.it polkitd[2896]: Registered Authentication Agent for unix-session:3 (system bus name :1.45 [cockpit-bridge], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) Feb 26 09:56:16 vm9.adnethesis.it cockpit-ws[5263]: logged in user session Feb 26 09:56:16 vm9.adnethesis.it cockpit-ws[5263]: New connection to session from 192.168.122.1 Feb 26 09:56:16 vm9.adnethesis.it dbus[2891]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus-org.freedesktop.hostname1.service' Feb 26 09:56:16 vm9.adnethesis.it systemd[1]: Starting Hostname Service... Feb 26 09:56:16 vm9.adnethesis.it dbus[2891]: [system] Successfully activated service 'org.freedesktop.hostname1' Feb 26 09:56:16 vm9.adnethesis.it systemd[1]: Started Hostname Service. Feb 26 09:56:16 vm9.adnethesis.it dbus[2891]: [system] Activating via systemd: service name='org.freedesktop.timedate1' unit='dbus-org.freedesktop.timedate1.service' Feb 26 09:56:16 vm9.adnethesis.it dbus[2891]: [system] Activating via systemd: service name='org.freedesktop.realmd' unit='realmd.service' Feb 26 09:56:16 vm9.adnethesis.it systemd[1]: Starting Realm and Domain Configuration... Feb 26 09:56:16 vm9.adnethesis.it systemd[1]: Starting Time & Date Service... Feb 26 09:56:16 vm9.adnethesis.it realmd[5295]: Loaded settings from: /usr/lib64/realmd/realmd-defaults.conf /usr/lib64/realmd/realmd-distro.conf Feb 26 09:56:16 vm9.adnethesis.it realmd[5295]: holding daemon: startup Feb 26 09:56:16 vm9.adnethesis.it realmd[5295]: starting service Feb 26 09:56:16 vm9.adnethesis.it dbus[2891]: [system] Successfully activated service 'org.freedesktop.timedate1' Feb 26 09:56:16 vm9.adnethesis.it systemd[1]: Started Time & Date Service. Feb 26 09:56:16 vm9.adnethesis.it realmd[5295]: connected to bus Feb 26 09:56:16 vm9.adnethesis.it realmd[5295]: released daemon: startup Feb 26 09:56:16 vm9.adnethesis.it dbus[2891]: [system] Successfully activated service 'org.freedesktop.realmd' Feb 26 09:56:16 vm9.adnethesis.it systemd[1]: Started Realm and Domain Configuration. Feb 26 09:56:16 vm9.adnethesis.it realmd[5295]: claimed name on bus: org.freedesktop.realmd Feb 26 09:56:16 vm9.adnethesis.it realmd[5295]: client using service: :1.48 Feb 26 09:56:16 vm9.adnethesis.it realmd[5295]: holding daemon: :1.48 Feb 26 09:56:17 vm9.adnethesis.it polkit-agent-helper-1[5294]: pam_sss(polkit-1:auth): authentication success; logname= uid=1541401112 euid=0 tty= [email protected] rhost= [email protected] Feb 26 09:56:17 vm9.adnethesis.it polkitd[2896]: Operator of unix-session:3 successfully authenticated as unix-user:[email protected] to gain ONE-SHOT authorization for action org.freedesktop.policykit.exec for unix-process:5272:197102 [cockpit-bridge] (owned by unix-user: [email protected]) Feb 26 09:56:17 vm9.adnethesis.it pkexec[5288]: pam_unix(polkit-1:session): session opened for user root by (uid=1541401112) Feb 26 09:56:17 vm9.adnethesis.it pkexec[5288]: [email protected]: Executing command [USER=root] [TTY=unknown] [CWD=/run/user/1541401112] [COMMAND=/usr/bin/cockpit-bridge --privileged] **Ending note** A similar error occurs if "default_domain_suffix" is not set and "use_fully_qualified_names = False". -- Davide Principi _______________________________________________ cockpit-devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
