I faced a strange behavior with cockpit login and root privilege escalation
but I can't say if it's a bug or not. I hope somebody can help me and shed some light on it!
**Steps to reproduce**
- installed centos 7 minimal and cockpit 183, realmd and deps
- joined AD (Windows Server 2012 R2) with realmd
- added "default_domain_suffix = adnethesis.it" to sssd.conf, because I'd
like to login without domain suffix
- I put "davidep(a)dpnet.nethesis.it" into the wheel group so it can become
root with pkexec or sudo
- At cockpit login, set "Reuse my password for privileged tasks"
The sssd.conf man page states about "default_domain_suffix":
> The option allows those users to log in just with their user name without
giving a domain name as well
Good, but the line below seems to contradict it:
> Please note that if this option is set all users from the primary domain
have to use their fully qualified name, e.g. user(a)domain.name, to log in.
...I'm not sure my expectation is correct anymore (!)
**Expected behavior**
If I login in cockpit as "davidep" I can become root with "pkexec bash".
**What happens instead**
The login as "davidep" succeedes but I cannot gain root privileges: pkexec
fails.
If I login as "davidep(a)adnethesis.it" it works as expected.
**Additional information**
[root@vm9 ~]# id davidep
uid=1541401112(davidep(a)adnethesis.it) gid=1541400513(domain
users(a)adnethesis.it) groups=1541400513(domain users(a)adnethesis.it
),10(wheel),1541400512(domain admins(a)adnethesis.it),1541401115(
sviluppo(a)adnethesis.it),1541400572(ogg. non autoriz. a replica passw. in
controller sola lettura(a)adnethesis.it)
Full sssd.conf:
[root@vm9 ~]# cat /etc/sssd/sssd.conf
[sssd]
domains = adnethesis.it
config_file_version = 2
services = nss, pam
#davidep:
default_domain_suffix = adnethesis.it
[domain/adnethesis.it]
ad_domain = adnethesis.it
krb5_realm = ADNETHESIS.IT
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
If I login as "davidep" it fails. journalctl -f:
Feb 26 09:24:56 vm9.adnethesis.it cockpit-session[3586]:
pam_sss(cockpit:auth): authentication success; logname= uid=0 euid=0 tty=
ruser= rhost=192.168.122.1 user=davidep
Feb 26 09:24:57 vm9.adnethesis.it cockpit-session[3586]: pam_ssh_add:
Failed adding some keys
Feb 26 09:24:57 vm9.adnethesis.it systemd[1]: Created slice User Slice of
davidep(a)adnethesis.it.
Feb 26 09:24:57 vm9.adnethesis.it cockpit-session[3586]:
pam_unix(cockpit:session): session opened for user davidep by (uid=0)
Feb 26 09:24:57 vm9.adnethesis.it systemd[1]: Started Session 2 of user
davidep(a)adnethesis.it.
Feb 26 09:24:57 vm9.adnethesis.it systemd-logind[3049]: New session 2 of
user davidep(a)adnethesis.it.
Feb 26 09:24:57 vm9.adnethesis.it polkitd[2896]: Registered Authentication
Agent for unix-session:2 (system bus name :1.35 [cockpit-bridge], object
path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Feb 26 09:24:57 vm9.adnethesis.it cockpit-ws[3558]: logged in user session
Feb 26 09:24:57 vm9.adnethesis.it cockpit-ws[3558]: New connection to
session from 192.168.122.1
Feb 26 09:24:58 vm9.adnethesis.it dbus[2891]: [system] Activating via
systemd: service name='org.freedesktop.hostname1'
unit='dbus-org.freedesktop.hostname1.service'
Feb 26 09:24:58 vm9.adnethesis.it systemd[1]: Starting Hostname Service...
Feb 26 09:24:58 vm9.adnethesis.it dbus[2891]: [system] Successfully
activated service 'org.freedesktop.hostname1'
Feb 26 09:24:58 vm9.adnethesis.it systemd[1]: Started Hostname Service.
Feb 26 09:24:58 vm9.adnethesis.it dbus[2891]: [system] Activating via
systemd: service name='org.freedesktop.timedate1'
unit='dbus-org.freedesktop.timedate1.service'
Feb 26 09:24:58 vm9.adnethesis.it dbus[2891]: [system] Activating via
systemd: service name='org.freedesktop.realmd' unit='realmd.service'
Feb 26 09:24:58 vm9.adnethesis.it systemd[1]: Starting Realm and Domain
Configuration...
Feb 26 09:24:58 vm9.adnethesis.it systemd[1]: Starting Time & Date
Service...
Feb 26 09:24:58 vm9.adnethesis.it realmd[3614]: Loaded settings from:
/usr/lib64/realmd/realmd-defaults.conf /usr/lib64/realmd/realmd-distro.conf
Feb 26 09:24:58 vm9.adnethesis.it realmd[3614]: holding daemon: startup
Feb 26 09:24:58 vm9.adnethesis.it realmd[3614]: starting service
Feb 26 09:24:58 vm9.adnethesis.it dbus[2891]: [system] Successfully
activated service 'org.freedesktop.timedate1'
Feb 26 09:24:58 vm9.adnethesis.it systemd[1]: Started Time & Date Service.
Feb 26 09:24:58 vm9.adnethesis.it realmd[3614]: connected to bus
Feb 26 09:24:58 vm9.adnethesis.it realmd[3614]: released daemon: startup
Feb 26 09:24:58 vm9.adnethesis.it dbus[2891]: [system] Successfully
activated service 'org.freedesktop.realmd'
Feb 26 09:24:58 vm9.adnethesis.it systemd[1]: Started Realm and Domain
Configuration.
Feb 26 09:24:58 vm9.adnethesis.it realmd[3614]: claimed name on bus:
org.freedesktop.realmd
Feb 26 09:24:58 vm9.adnethesis.it realmd[3614]: client using service: :1.38
Feb 26 09:24:58 vm9.adnethesis.it realmd[3614]: holding daemon: :1.38
Feb 26 09:24:58 vm9.adnethesis.it polkit-agent-helper-1[3619]:
pam_sss(polkit-1:auth): authentication failure; logname= uid=1541401112
euid=0 tty= ruser=davidep(a)adnethesis.it rhost= user=davidep(a)adnethesis.it
Feb 26 09:24:58 vm9.adnethesis.it polkit-agent-helper-1[3619]:
pam_sss(polkit-1:auth): received for user davidep(a)adnethesis.it: 7
(Authentication failure)
Feb 26 09:25:01 vm9.adnethesis.it cockpit-bridge[3591]:
polkit-agent-helper-1: pam_authenticate failed: Authentication failure
Feb 26 09:25:01 vm9.adnethesis.it polkitd[2896]: Operator of unix-session:2
FAILED to authenticate to gain authorization for action
org.freedesktop.policykit.exec for unix-process:3591:9221 [cockpit-bridge]
(owned by unix-user:davidep@adnethesis.it)
Feb 26 09:25:01 vm9.adnethesis.it cockpit-bridge[3591]: Error executing
command as another user: Not authorized
Feb 26 09:25:01 vm9.adnethesis.it cockpit-bridge[3591]: This incident has
been reported.
Feb 26 09:25:01 vm9.adnethesis.it pkexec[3608]: davidep(a)adnethesis.it:
Error executing command as another user: Not authorized [USER=root]
[TTY=unknown] [CWD=/run/user/1541401112] [COMMAND=/usr/bin/cockpit-bridge
--privileged]
Feb 26 09:25:01 vm9.adnethesis.it sudo[3620]: pam_sss(sudo:auth):
authentication failure; logname=davidep(a)adnethesis.it uid=1541401112 euid=0
tty= ruser=davidep(a)adnethesis.it rhost= user=davidep(a)adnethesis.it
Feb 26 09:25:01 vm9.adnethesis.it sudo[3620]: pam_sss(sudo:auth): received
for user davidep(a)adnethesis.it: 7 (Authentication failure)
Feb 26 09:25:03 vm9.adnethesis.it cockpit-bridge[3591]: Sorry, try again.
Feb 26 09:25:03 vm9.adnethesis.it sudo[3620]: pam_sss(sudo:auth):
authentication failure; logname=davidep(a)adnethesis.it uid=1541401112 euid=0
tty= ruser=davidep(a)adnethesis.it rhost= user=davidep(a)adnethesis.it
Feb 26 09:25:03 vm9.adnethesis.it sudo[3620]: pam_sss(sudo:auth): received
for user davidep(a)adnethesis.it: 7 (Authentication failure)
Feb 26 09:25:05 vm9.adnethesis.it cockpit-bridge[3591]: Sorry, try again.
Feb 26 09:25:05 vm9.adnethesis.it sudo[3620]: pam_sss(sudo:auth):
authentication failure; logname=davidep(a)adnethesis.it uid=1541401112 euid=0
tty= ruser=davidep(a)adnethesis.it rhost= user=davidep(a)adnethesis.it
Feb 26 09:25:05 vm9.adnethesis.it sudo[3620]: pam_sss(sudo:auth): received
for user davidep(a)adnethesis.it: 7 (Authentication failure)
Feb 26 09:25:07 vm9.adnethesis.it sudo[3620]: davidep(a)adnethesis.it : 3
incorrect password attempts ; TTY=unknown ; PWD=/run/user/1541401112 ;
USER=root ; COMMAND=/bin/cockpit-bridge --privileged
Feb 26 09:25:07 vm9.adnethesis.it cockpit-bridge[3591]: sudo: 3 incorrect
password attempts
Feb 26 09:25:25 vm9.adnethesis.it cockpit-ws[3558]: cockpit-session:
session timed out during authentication
Feb 26 09:25:25 vm9.adnethesis.it cockpit-ws[3558]: cockpit-session: didn't
receive expected "authorize" message
Feb 26 09:25:25 vm9.adnethesis.it cockpit-ws[3558]: cockpit-session:
authentication timed out
Feb 26 09:25:25 vm9.adnethesis.it cockpit-ws[3558]: ignoring failure from
session process: Authentication failed: Timeout
If I go to Cockpit Terminal and try to become root:
[davidep@adnethesis.it@vm9 ~]$ pkexec bash
Error executing command as another user: Not authorized
This incident has been reported.
[davidep@adnethesis.it@vm9 ~]$
But if I login as "davidep(a)adnethesis.it" it succeeds. journalctl -f:
Feb 26 09:56:15 vm9.adnethesis.it systemd[1]: Starting Cockpit Web
Service...
Feb 26 09:56:15 vm9.adnethesis.it systemd[1]: Started Cockpit Web Service.
Feb 26 09:56:15 vm9.adnethesis.it cockpit-ws[5263]: Using certificate:
/etc/cockpit/ws-certs.d/0-self-signed.cert
Feb 26 09:56:15 vm9.adnethesis.it cockpit-session[5267]:
pam_sss(cockpit:auth): authentication success; logname= uid=0 euid=0 tty=
ruser= rhost=192.168.122.1 user=davidep(a)adnethesis.it
Feb 26 09:56:15 vm9.adnethesis.it cockpit-session[5267]: pam_ssh_add:
Failed adding some keys
Feb 26 09:56:15 vm9.adnethesis.it systemd[1]: Created slice User Slice of
davidep(a)adnethesis.it.
Feb 26 09:56:15 vm9.adnethesis.it systemd[1]: Started Session 3 of user
davidep(a)adnethesis.it.
Feb 26 09:56:15 vm9.adnethesis.it cockpit-session[5267]:
pam_unix(cockpit:session): session opened for user davidep(a)adnethesis.it
by (uid=0)
Feb 26 09:56:15 vm9.adnethesis.it systemd-logind[3049]: New session 3 of
user davidep(a)adnethesis.it.
Feb 26 09:56:16 vm9.adnethesis.it polkitd[2896]: Registered Authentication
Agent for unix-session:3 (system bus name :1.45 [cockpit-bridge], object
path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Feb 26 09:56:16 vm9.adnethesis.it cockpit-ws[5263]: logged in user session
Feb 26 09:56:16 vm9.adnethesis.it cockpit-ws[5263]: New connection to
session from 192.168.122.1
Feb 26 09:56:16 vm9.adnethesis.it dbus[2891]: [system] Activating via
systemd: service name='org.freedesktop.hostname1'
unit='dbus-org.freedesktop.hostname1.service'
Feb 26 09:56:16 vm9.adnethesis.it systemd[1]: Starting Hostname Service...
Feb 26 09:56:16 vm9.adnethesis.it dbus[2891]: [system] Successfully
activated service 'org.freedesktop.hostname1'
Feb 26 09:56:16 vm9.adnethesis.it systemd[1]: Started Hostname Service.
Feb 26 09:56:16 vm9.adnethesis.it dbus[2891]: [system] Activating via
systemd: service name='org.freedesktop.timedate1'
unit='dbus-org.freedesktop.timedate1.service'
Feb 26 09:56:16 vm9.adnethesis.it dbus[2891]: [system] Activating via
systemd: service name='org.freedesktop.realmd' unit='realmd.service'
Feb 26 09:56:16 vm9.adnethesis.it systemd[1]: Starting Realm and Domain
Configuration...
Feb 26 09:56:16 vm9.adnethesis.it systemd[1]: Starting Time & Date
Service...
Feb 26 09:56:16 vm9.adnethesis.it realmd[5295]: Loaded settings from:
/usr/lib64/realmd/realmd-defaults.conf /usr/lib64/realmd/realmd-distro.conf
Feb 26 09:56:16 vm9.adnethesis.it realmd[5295]: holding daemon: startup
Feb 26 09:56:16 vm9.adnethesis.it realmd[5295]: starting service
Feb 26 09:56:16 vm9.adnethesis.it dbus[2891]: [system] Successfully
activated service 'org.freedesktop.timedate1'
Feb 26 09:56:16 vm9.adnethesis.it systemd[1]: Started Time & Date Service.
Feb 26 09:56:16 vm9.adnethesis.it realmd[5295]: connected to bus
Feb 26 09:56:16 vm9.adnethesis.it realmd[5295]: released daemon: startup
Feb 26 09:56:16 vm9.adnethesis.it dbus[2891]: [system] Successfully
activated service 'org.freedesktop.realmd'
Feb 26 09:56:16 vm9.adnethesis.it systemd[1]: Started Realm and Domain
Configuration.
Feb 26 09:56:16 vm9.adnethesis.it realmd[5295]: claimed name on bus:
org.freedesktop.realmd
Feb 26 09:56:16 vm9.adnethesis.it realmd[5295]: client using service: :1.48
Feb 26 09:56:16 vm9.adnethesis.it realmd[5295]: holding daemon: :1.48
Feb 26 09:56:17 vm9.adnethesis.it polkit-agent-helper-1[5294]:
pam_sss(polkit-1:auth): authentication success; logname= uid=1541401112
euid=0 tty= ruser=davidep(a)adnethesis.it rhost= user=davidep(a)adnethesis.it
Feb 26 09:56:17 vm9.adnethesis.it polkitd[2896]: Operator of unix-session:3
successfully authenticated as unix-user:davidep@adnethesis.it to gain
ONE-SHOT authorization for action org.freedesktop.policykit.exec for
unix-process:5272:197102 [cockpit-bridge] (owned by unix-user:
davidep(a)adnethesis.it)
Feb 26 09:56:17 vm9.adnethesis.it pkexec[5288]: pam_unix(polkit-1:session):
session opened for user root by (uid=1541401112)
Feb 26 09:56:17 vm9.adnethesis.it pkexec[5288]: davidep(a)adnethesis.it:
Executing command [USER=root] [TTY=unknown] [CWD=/run/user/1541401112]
[COMMAND=/usr/bin/cockpit-bridge --privileged]
**Ending note**
A similar error occurs if "default_domain_suffix" is not set and "use_fully_qualified_names = False".
--
Davide Principi