February 2019 - cockpit-devel - Fedora Mailing-Lists

Polkit/sudo auth failure with sssd default_domain_suffix

by Davide Principi

I faced a strange behavior with cockpit login and root privilege escalation but I can't say if it's a bug or not. I hope somebody can help me and shed some light on it! **Steps to reproduce** - installed centos 7 minimal and cockpit 183, realmd and deps - joined AD (Windows Server 2012 R2) with realmd - added "default_domain_suffix = adnethesis.it" to sssd.conf, because I'd like to login without domain suffix - I put "davidep(a)dpnet.nethesis.it" into the wheel group so it can become root with pkexec or sudo - At cockpit login, set "Reuse my password for privileged tasks" The sssd.conf man page states about "default_domain_suffix": > The option allows those users to log in just with their user name without giving a domain name as well Good, but the line below seems to contradict it: > Please note that if this option is set all users from the primary domain have to use their fully qualified name, e.g. user(a)domain.name, to log in. ...I'm not sure my expectation is correct anymore (!) **Expected behavior** If I login in cockpit as "davidep" I can become root with "pkexec bash". **What happens instead** The login as "davidep" succeedes but I cannot gain root privileges: pkexec fails. If I login as "davidep(a)adnethesis.it" it works as expected. **Additional information** [root@vm9 ~]# id davidep uid=1541401112(davidep(a)adnethesis.it) gid=1541400513(domain users(a)adnethesis.it) groups=1541400513(domain users(a)adnethesis.it ),10(wheel),1541400512(domain admins(a)adnethesis.it),1541401115( sviluppo(a)adnethesis.it),1541400572(ogg. non autoriz. a replica passw. in controller sola lettura(a)adnethesis.it) Full sssd.conf: [root@vm9 ~]# cat /etc/sssd/sssd.conf [sssd] domains = adnethesis.it config_file_version = 2 services = nss, pam #davidep: default_domain_suffix = adnethesis.it [domain/adnethesis.it] ad_domain = adnethesis.it krb5_realm = ADNETHESIS.IT realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%u@%d access_provider = ad If I login as "davidep" it fails. journalctl -f: Feb 26 09:24:56 vm9.adnethesis.it cockpit-session[3586]: pam_sss(cockpit:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost=192.168.122.1 user=davidep Feb 26 09:24:57 vm9.adnethesis.it cockpit-session[3586]: pam_ssh_add: Failed adding some keys Feb 26 09:24:57 vm9.adnethesis.it systemd[1]: Created slice User Slice of davidep(a)adnethesis.it. Feb 26 09:24:57 vm9.adnethesis.it cockpit-session[3586]: pam_unix(cockpit:session): session opened for user davidep by (uid=0) Feb 26 09:24:57 vm9.adnethesis.it systemd[1]: Started Session 2 of user davidep(a)adnethesis.it. Feb 26 09:24:57 vm9.adnethesis.it systemd-logind[3049]: New session 2 of user davidep(a)adnethesis.it. Feb 26 09:24:57 vm9.adnethesis.it polkitd[2896]: Registered Authentication Agent for unix-session:2 (system bus name :1.35 [cockpit-bridge], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) Feb 26 09:24:57 vm9.adnethesis.it cockpit-ws[3558]: logged in user session Feb 26 09:24:57 vm9.adnethesis.it cockpit-ws[3558]: New connection to session from 192.168.122.1 Feb 26 09:24:58 vm9.adnethesis.it dbus[2891]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus-org.freedesktop.hostname1.service' Feb 26 09:24:58 vm9.adnethesis.it systemd[1]: Starting Hostname Service... Feb 26 09:24:58 vm9.adnethesis.it dbus[2891]: [system] Successfully activated service 'org.freedesktop.hostname1' Feb 26 09:24:58 vm9.adnethesis.it systemd[1]: Started Hostname Service. Feb 26 09:24:58 vm9.adnethesis.it dbus[2891]: [system] Activating via systemd: service name='org.freedesktop.timedate1' unit='dbus-org.freedesktop.timedate1.service' Feb 26 09:24:58 vm9.adnethesis.it dbus[2891]: [system] Activating via systemd: service name='org.freedesktop.realmd' unit='realmd.service' Feb 26 09:24:58 vm9.adnethesis.it systemd[1]: Starting Realm and Domain Configuration... Feb 26 09:24:58 vm9.adnethesis.it systemd[1]: Starting Time & Date Service... Feb 26 09:24:58 vm9.adnethesis.it realmd[3614]: Loaded settings from: /usr/lib64/realmd/realmd-defaults.conf /usr/lib64/realmd/realmd-distro.conf Feb 26 09:24:58 vm9.adnethesis.it realmd[3614]: holding daemon: startup Feb 26 09:24:58 vm9.adnethesis.it realmd[3614]: starting service Feb 26 09:24:58 vm9.adnethesis.it dbus[2891]: [system] Successfully activated service 'org.freedesktop.timedate1' Feb 26 09:24:58 vm9.adnethesis.it systemd[1]: Started Time & Date Service. Feb 26 09:24:58 vm9.adnethesis.it realmd[3614]: connected to bus Feb 26 09:24:58 vm9.adnethesis.it realmd[3614]: released daemon: startup Feb 26 09:24:58 vm9.adnethesis.it dbus[2891]: [system] Successfully activated service 'org.freedesktop.realmd' Feb 26 09:24:58 vm9.adnethesis.it systemd[1]: Started Realm and Domain Configuration. Feb 26 09:24:58 vm9.adnethesis.it realmd[3614]: claimed name on bus: org.freedesktop.realmd Feb 26 09:24:58 vm9.adnethesis.it realmd[3614]: client using service: :1.38 Feb 26 09:24:58 vm9.adnethesis.it realmd[3614]: holding daemon: :1.38 Feb 26 09:24:58 vm9.adnethesis.it polkit-agent-helper-1[3619]: pam_sss(polkit-1:auth): authentication failure; logname= uid=1541401112 euid=0 tty= ruser=davidep(a)adnethesis.it rhost= user=davidep(a)adnethesis.it Feb 26 09:24:58 vm9.adnethesis.it polkit-agent-helper-1[3619]: pam_sss(polkit-1:auth): received for user davidep(a)adnethesis.it: 7 (Authentication failure) Feb 26 09:25:01 vm9.adnethesis.it cockpit-bridge[3591]: polkit-agent-helper-1: pam_authenticate failed: Authentication failure Feb 26 09:25:01 vm9.adnethesis.it polkitd[2896]: Operator of unix-session:2 FAILED to authenticate to gain authorization for action org.freedesktop.policykit.exec for unix-process:3591:9221 [cockpit-bridge] (owned by unix-user:davidep@adnethesis.it) Feb 26 09:25:01 vm9.adnethesis.it cockpit-bridge[3591]: Error executing command as another user: Not authorized Feb 26 09:25:01 vm9.adnethesis.it cockpit-bridge[3591]: This incident has been reported. Feb 26 09:25:01 vm9.adnethesis.it pkexec[3608]: davidep(a)adnethesis.it: Error executing command as another user: Not authorized [USER=root] [TTY=unknown] [CWD=/run/user/1541401112] [COMMAND=/usr/bin/cockpit-bridge --privileged] Feb 26 09:25:01 vm9.adnethesis.it sudo[3620]: pam_sss(sudo:auth): authentication failure; logname=davidep(a)adnethesis.it uid=1541401112 euid=0 tty= ruser=davidep(a)adnethesis.it rhost= user=davidep(a)adnethesis.it Feb 26 09:25:01 vm9.adnethesis.it sudo[3620]: pam_sss(sudo:auth): received for user davidep(a)adnethesis.it: 7 (Authentication failure) Feb 26 09:25:03 vm9.adnethesis.it cockpit-bridge[3591]: Sorry, try again. Feb 26 09:25:03 vm9.adnethesis.it sudo[3620]: pam_sss(sudo:auth): authentication failure; logname=davidep(a)adnethesis.it uid=1541401112 euid=0 tty= ruser=davidep(a)adnethesis.it rhost= user=davidep(a)adnethesis.it Feb 26 09:25:03 vm9.adnethesis.it sudo[3620]: pam_sss(sudo:auth): received for user davidep(a)adnethesis.it: 7 (Authentication failure) Feb 26 09:25:05 vm9.adnethesis.it cockpit-bridge[3591]: Sorry, try again. Feb 26 09:25:05 vm9.adnethesis.it sudo[3620]: pam_sss(sudo:auth): authentication failure; logname=davidep(a)adnethesis.it uid=1541401112 euid=0 tty= ruser=davidep(a)adnethesis.it rhost= user=davidep(a)adnethesis.it Feb 26 09:25:05 vm9.adnethesis.it sudo[3620]: pam_sss(sudo:auth): received for user davidep(a)adnethesis.it: 7 (Authentication failure) Feb 26 09:25:07 vm9.adnethesis.it sudo[3620]: davidep(a)adnethesis.it : 3 incorrect password attempts ; TTY=unknown ; PWD=/run/user/1541401112 ; USER=root ; COMMAND=/bin/cockpit-bridge --privileged Feb 26 09:25:07 vm9.adnethesis.it cockpit-bridge[3591]: sudo: 3 incorrect password attempts Feb 26 09:25:25 vm9.adnethesis.it cockpit-ws[3558]: cockpit-session: session timed out during authentication Feb 26 09:25:25 vm9.adnethesis.it cockpit-ws[3558]: cockpit-session: didn't receive expected "authorize" message Feb 26 09:25:25 vm9.adnethesis.it cockpit-ws[3558]: cockpit-session: authentication timed out Feb 26 09:25:25 vm9.adnethesis.it cockpit-ws[3558]: ignoring failure from session process: Authentication failed: Timeout If I go to Cockpit Terminal and try to become root: [davidep@adnethesis.it(a)vm9 ~]$ pkexec bash Error executing command as another user: Not authorized This incident has been reported. [davidep@adnethesis.it(a)vm9 ~]$ But if I login as "davidep(a)adnethesis.it" it succeeds. journalctl -f: Feb 26 09:56:15 vm9.adnethesis.it systemd[1]: Starting Cockpit Web Service... Feb 26 09:56:15 vm9.adnethesis.it systemd[1]: Started Cockpit Web Service. Feb 26 09:56:15 vm9.adnethesis.it cockpit-ws[5263]: Using certificate: /etc/cockpit/ws-certs.d/0-self-signed.cert Feb 26 09:56:15 vm9.adnethesis.it cockpit-session[5267]: pam_sss(cockpit:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost=192.168.122.1 user=davidep(a)adnethesis.it Feb 26 09:56:15 vm9.adnethesis.it cockpit-session[5267]: pam_ssh_add: Failed adding some keys Feb 26 09:56:15 vm9.adnethesis.it systemd[1]: Created slice User Slice of davidep(a)adnethesis.it. Feb 26 09:56:15 vm9.adnethesis.it systemd[1]: Started Session 3 of user davidep(a)adnethesis.it. Feb 26 09:56:15 vm9.adnethesis.it cockpit-session[5267]: pam_unix(cockpit:session): session opened for user davidep(a)adnethesis.it by (uid=0) Feb 26 09:56:15 vm9.adnethesis.it systemd-logind[3049]: New session 3 of user davidep(a)adnethesis.it. Feb 26 09:56:16 vm9.adnethesis.it polkitd[2896]: Registered Authentication Agent for unix-session:3 (system bus name :1.45 [cockpit-bridge], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) Feb 26 09:56:16 vm9.adnethesis.it cockpit-ws[5263]: logged in user session Feb 26 09:56:16 vm9.adnethesis.it cockpit-ws[5263]: New connection to session from 192.168.122.1 Feb 26 09:56:16 vm9.adnethesis.it dbus[2891]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus-org.freedesktop.hostname1.service' Feb 26 09:56:16 vm9.adnethesis.it systemd[1]: Starting Hostname Service... Feb 26 09:56:16 vm9.adnethesis.it dbus[2891]: [system] Successfully activated service 'org.freedesktop.hostname1' Feb 26 09:56:16 vm9.adnethesis.it systemd[1]: Started Hostname Service. Feb 26 09:56:16 vm9.adnethesis.it dbus[2891]: [system] Activating via systemd: service name='org.freedesktop.timedate1' unit='dbus-org.freedesktop.timedate1.service' Feb 26 09:56:16 vm9.adnethesis.it dbus[2891]: [system] Activating via systemd: service name='org.freedesktop.realmd' unit='realmd.service' Feb 26 09:56:16 vm9.adnethesis.it systemd[1]: Starting Realm and Domain Configuration... Feb 26 09:56:16 vm9.adnethesis.it systemd[1]: Starting Time & Date Service... Feb 26 09:56:16 vm9.adnethesis.it realmd[5295]: Loaded settings from: /usr/lib64/realmd/realmd-defaults.conf /usr/lib64/realmd/realmd-distro.conf Feb 26 09:56:16 vm9.adnethesis.it realmd[5295]: holding daemon: startup Feb 26 09:56:16 vm9.adnethesis.it realmd[5295]: starting service Feb 26 09:56:16 vm9.adnethesis.it dbus[2891]: [system] Successfully activated service 'org.freedesktop.timedate1' Feb 26 09:56:16 vm9.adnethesis.it systemd[1]: Started Time & Date Service. Feb 26 09:56:16 vm9.adnethesis.it realmd[5295]: connected to bus Feb 26 09:56:16 vm9.adnethesis.it realmd[5295]: released daemon: startup Feb 26 09:56:16 vm9.adnethesis.it dbus[2891]: [system] Successfully activated service 'org.freedesktop.realmd' Feb 26 09:56:16 vm9.adnethesis.it systemd[1]: Started Realm and Domain Configuration. Feb 26 09:56:16 vm9.adnethesis.it realmd[5295]: claimed name on bus: org.freedesktop.realmd Feb 26 09:56:16 vm9.adnethesis.it realmd[5295]: client using service: :1.48 Feb 26 09:56:16 vm9.adnethesis.it realmd[5295]: holding daemon: :1.48 Feb 26 09:56:17 vm9.adnethesis.it polkit-agent-helper-1[5294]: pam_sss(polkit-1:auth): authentication success; logname= uid=1541401112 euid=0 tty= ruser=davidep(a)adnethesis.it rhost= user=davidep(a)adnethesis.it Feb 26 09:56:17 vm9.adnethesis.it polkitd[2896]: Operator of unix-session:3 successfully authenticated as unix-user:davidep@adnethesis.it to gain ONE-SHOT authorization for action org.freedesktop.policykit.exec for unix-process:5272:197102 [cockpit-bridge] (owned by unix-user: davidep(a)adnethesis.it) Feb 26 09:56:17 vm9.adnethesis.it pkexec[5288]: pam_unix(polkit-1:session): session opened for user root by (uid=1541401112) Feb 26 09:56:17 vm9.adnethesis.it pkexec[5288]: davidep(a)adnethesis.it: Executing command [USER=root] [TTY=unknown] [CWD=/run/user/1541401112] [COMMAND=/usr/bin/cockpit-bridge --privileged] **Ending note** A similar error occurs if "default_domain_suffix" is not set and "use_fully_qualified_names = False". -- Davide Principi

5 years, 1 month

2
1
0 / 0

Cockpit 188 released

by Martin Pitt

Cockpit is the modern Linux admin interface. We release regularly. Here are the release notes from version 188: http://cockpit-project.org/blog/cockpit-188.html Summary: - Machines: Show Storage Volume user - Machines: Autostart configuration - Terminal: Themes and context menu - Storage: Responsive dialogs - Software Updates: Show three most recent updates You can get Cockpit here: http://cockpit-project.org/running.html Cockpit 188 is available in Fedora 29: https://bodhi.fedoraproject.org/updates/cockpit-188-1.fc29 Or download the tarball here: https://github.com/cockpit-project/cockpit/releases/tag/188 Take care, Martin Pitt

5 years, 2 months

1
0
0 / 0

Cockpit 187

by Marius Vollmer

Hi! Here are the release notes for version 187: http://cockpit-project.org/blog/cockpit-187.html Summary: Machines: More operations for Storage Pools Domains: More information about the joined domain Storage: The options for VDO volumes are explained Machines: Support for oVirt will be dropped in the future You can get Cockpit here: https://cockpit-project.org/running.html Cockpit 187 is available in Fedora 29: https://bodhi.fedoraproject.org/updates/cockpit-187-1.fc29 Or download the tarball here: https://github.com/cockpit-project/cockpit/releases/tag/187

5 years, 2 months

1
0
0 / 0

Different cockpit versions between RHEL & CentOS 7.6

by Yigal Korman

Hi Guys, Anyone knows why RHEL 7.6 provides v173.1 while CentOS has a newer v176? Usually packages have the same version on both... Thanks, Yigal PS, I see that Cockpit is mentioned as modified by CentOS in the release notes [1] but there's not explanation of why. [https://wiki.centos.org/Manuals/ReleaseNotes/CentOS7.1810?action=show&red...]

5 years, 2 months

2
2
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

cockpit-devel February 2019