I faced a strange behavior with cockpit login and root privilege escalation but I can't say if it's a bug or not. I hope somebody can help me and shed some light on it!
**Steps to reproduce**
- installed centos 7 minimal and cockpit 183, realmd and deps - joined AD (Windows Server 2012 R2) with realmd - added "default_domain_suffix = adnethesis.it" to sssd.conf, because I'd like to login without domain suffix - I put "davidep@dpnet.nethesis.it" into the wheel group so it can become root with pkexec or sudo - At cockpit login, set "Reuse my password for privileged tasks"
The sssd.conf man page states about "default_domain_suffix":
The option allows those users to log in just with their user name without
giving a domain name as well
Good, but the line below seems to contradict it:
Please note that if this option is set all users from the primary domain
have to use their fully qualified name, e.g. user@domain.name, to log in.
...I'm not sure my expectation is correct anymore (!)
**Expected behavior**
If I login in cockpit as "davidep" I can become root with "pkexec bash".
**What happens instead**
The login as "davidep" succeedes but I cannot gain root privileges: pkexec fails.
If I login as "davidep@adnethesis.it" it works as expected.
**Additional information**
[root@vm9 ~]# id davidep uid=1541401112(davidep@adnethesis.it) gid=1541400513(domain users@adnethesis.it) groups=1541400513(domain users@adnethesis.it ),10(wheel),1541400512(domain admins@adnethesis.it),1541401115( sviluppo@adnethesis.it),1541400572(ogg. non autoriz. a replica passw. in controller sola lettura@adnethesis.it)
Full sssd.conf:
[root@vm9 ~]# cat /etc/sssd/sssd.conf
[sssd] domains = adnethesis.it config_file_version = 2 services = nss, pam
#davidep: default_domain_suffix = adnethesis.it
[domain/adnethesis.it] ad_domain = adnethesis.it krb5_realm = ADNETHESIS.IT realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%u@%d access_provider = ad
If I login as "davidep" it fails. journalctl -f:
Feb 26 09:24:56 vm9.adnethesis.it cockpit-session[3586]: pam_sss(cockpit:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost=192.168.122.1 user=davidep Feb 26 09:24:57 vm9.adnethesis.it cockpit-session[3586]: pam_ssh_add: Failed adding some keys Feb 26 09:24:57 vm9.adnethesis.it systemd[1]: Created slice User Slice of davidep@adnethesis.it. Feb 26 09:24:57 vm9.adnethesis.it cockpit-session[3586]: pam_unix(cockpit:session): session opened for user davidep by (uid=0) Feb 26 09:24:57 vm9.adnethesis.it systemd[1]: Started Session 2 of user davidep@adnethesis.it. Feb 26 09:24:57 vm9.adnethesis.it systemd-logind[3049]: New session 2 of user davidep@adnethesis.it. Feb 26 09:24:57 vm9.adnethesis.it polkitd[2896]: Registered Authentication Agent for unix-session:2 (system bus name :1.35 [cockpit-bridge], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) Feb 26 09:24:57 vm9.adnethesis.it cockpit-ws[3558]: logged in user session Feb 26 09:24:57 vm9.adnethesis.it cockpit-ws[3558]: New connection to session from 192.168.122.1 Feb 26 09:24:58 vm9.adnethesis.it dbus[2891]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus-org.freedesktop.hostname1.service' Feb 26 09:24:58 vm9.adnethesis.it systemd[1]: Starting Hostname Service... Feb 26 09:24:58 vm9.adnethesis.it dbus[2891]: [system] Successfully activated service 'org.freedesktop.hostname1' Feb 26 09:24:58 vm9.adnethesis.it systemd[1]: Started Hostname Service. Feb 26 09:24:58 vm9.adnethesis.it dbus[2891]: [system] Activating via systemd: service name='org.freedesktop.timedate1' unit='dbus-org.freedesktop.timedate1.service' Feb 26 09:24:58 vm9.adnethesis.it dbus[2891]: [system] Activating via systemd: service name='org.freedesktop.realmd' unit='realmd.service' Feb 26 09:24:58 vm9.adnethesis.it systemd[1]: Starting Realm and Domain Configuration... Feb 26 09:24:58 vm9.adnethesis.it systemd[1]: Starting Time & Date Service... Feb 26 09:24:58 vm9.adnethesis.it realmd[3614]: Loaded settings from: /usr/lib64/realmd/realmd-defaults.conf /usr/lib64/realmd/realmd-distro.conf Feb 26 09:24:58 vm9.adnethesis.it realmd[3614]: holding daemon: startup Feb 26 09:24:58 vm9.adnethesis.it realmd[3614]: starting service Feb 26 09:24:58 vm9.adnethesis.it dbus[2891]: [system] Successfully activated service 'org.freedesktop.timedate1' Feb 26 09:24:58 vm9.adnethesis.it systemd[1]: Started Time & Date Service. Feb 26 09:24:58 vm9.adnethesis.it realmd[3614]: connected to bus Feb 26 09:24:58 vm9.adnethesis.it realmd[3614]: released daemon: startup Feb 26 09:24:58 vm9.adnethesis.it dbus[2891]: [system] Successfully activated service 'org.freedesktop.realmd' Feb 26 09:24:58 vm9.adnethesis.it systemd[1]: Started Realm and Domain Configuration. Feb 26 09:24:58 vm9.adnethesis.it realmd[3614]: claimed name on bus: org.freedesktop.realmd Feb 26 09:24:58 vm9.adnethesis.it realmd[3614]: client using service: :1.38 Feb 26 09:24:58 vm9.adnethesis.it realmd[3614]: holding daemon: :1.38 Feb 26 09:24:58 vm9.adnethesis.it polkit-agent-helper-1[3619]: pam_sss(polkit-1:auth): authentication failure; logname= uid=1541401112 euid=0 tty= ruser=davidep@adnethesis.it rhost= user=davidep@adnethesis.it Feb 26 09:24:58 vm9.adnethesis.it polkit-agent-helper-1[3619]: pam_sss(polkit-1:auth): received for user davidep@adnethesis.it: 7 (Authentication failure) Feb 26 09:25:01 vm9.adnethesis.it cockpit-bridge[3591]: polkit-agent-helper-1: pam_authenticate failed: Authentication failure Feb 26 09:25:01 vm9.adnethesis.it polkitd[2896]: Operator of unix-session:2 FAILED to authenticate to gain authorization for action org.freedesktop.policykit.exec for unix-process:3591:9221 [cockpit-bridge] (owned by unix-user:davidep@adnethesis.it) Feb 26 09:25:01 vm9.adnethesis.it cockpit-bridge[3591]: Error executing command as another user: Not authorized Feb 26 09:25:01 vm9.adnethesis.it cockpit-bridge[3591]: This incident has been reported. Feb 26 09:25:01 vm9.adnethesis.it pkexec[3608]: davidep@adnethesis.it: Error executing command as another user: Not authorized [USER=root] [TTY=unknown] [CWD=/run/user/1541401112] [COMMAND=/usr/bin/cockpit-bridge --privileged] Feb 26 09:25:01 vm9.adnethesis.it sudo[3620]: pam_sss(sudo:auth): authentication failure; logname=davidep@adnethesis.it uid=1541401112 euid=0 tty= ruser=davidep@adnethesis.it rhost= user=davidep@adnethesis.it Feb 26 09:25:01 vm9.adnethesis.it sudo[3620]: pam_sss(sudo:auth): received for user davidep@adnethesis.it: 7 (Authentication failure) Feb 26 09:25:03 vm9.adnethesis.it cockpit-bridge[3591]: Sorry, try again. Feb 26 09:25:03 vm9.adnethesis.it sudo[3620]: pam_sss(sudo:auth): authentication failure; logname=davidep@adnethesis.it uid=1541401112 euid=0 tty= ruser=davidep@adnethesis.it rhost= user=davidep@adnethesis.it Feb 26 09:25:03 vm9.adnethesis.it sudo[3620]: pam_sss(sudo:auth): received for user davidep@adnethesis.it: 7 (Authentication failure) Feb 26 09:25:05 vm9.adnethesis.it cockpit-bridge[3591]: Sorry, try again. Feb 26 09:25:05 vm9.adnethesis.it sudo[3620]: pam_sss(sudo:auth): authentication failure; logname=davidep@adnethesis.it uid=1541401112 euid=0 tty= ruser=davidep@adnethesis.it rhost= user=davidep@adnethesis.it Feb 26 09:25:05 vm9.adnethesis.it sudo[3620]: pam_sss(sudo:auth): received for user davidep@adnethesis.it: 7 (Authentication failure) Feb 26 09:25:07 vm9.adnethesis.it sudo[3620]: davidep@adnethesis.it : 3 incorrect password attempts ; TTY=unknown ; PWD=/run/user/1541401112 ; USER=root ; COMMAND=/bin/cockpit-bridge --privileged Feb 26 09:25:07 vm9.adnethesis.it cockpit-bridge[3591]: sudo: 3 incorrect password attempts Feb 26 09:25:25 vm9.adnethesis.it cockpit-ws[3558]: cockpit-session: session timed out during authentication Feb 26 09:25:25 vm9.adnethesis.it cockpit-ws[3558]: cockpit-session: didn't receive expected "authorize" message Feb 26 09:25:25 vm9.adnethesis.it cockpit-ws[3558]: cockpit-session: authentication timed out Feb 26 09:25:25 vm9.adnethesis.it cockpit-ws[3558]: ignoring failure from session process: Authentication failed: Timeout
If I go to Cockpit Terminal and try to become root:
[davidep@adnethesis.it@vm9 ~]$ pkexec bash Error executing command as another user: Not authorized
This incident has been reported. [davidep@adnethesis.it@vm9 ~]$
But if I login as "davidep@adnethesis.it" it succeeds. journalctl -f:
Feb 26 09:56:15 vm9.adnethesis.it systemd[1]: Starting Cockpit Web Service... Feb 26 09:56:15 vm9.adnethesis.it systemd[1]: Started Cockpit Web Service. Feb 26 09:56:15 vm9.adnethesis.it cockpit-ws[5263]: Using certificate: /etc/cockpit/ws-certs.d/0-self-signed.cert Feb 26 09:56:15 vm9.adnethesis.it cockpit-session[5267]: pam_sss(cockpit:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost=192.168.122.1 user=davidep@adnethesis.it Feb 26 09:56:15 vm9.adnethesis.it cockpit-session[5267]: pam_ssh_add: Failed adding some keys Feb 26 09:56:15 vm9.adnethesis.it systemd[1]: Created slice User Slice of davidep@adnethesis.it. Feb 26 09:56:15 vm9.adnethesis.it systemd[1]: Started Session 3 of user davidep@adnethesis.it. Feb 26 09:56:15 vm9.adnethesis.it cockpit-session[5267]: pam_unix(cockpit:session): session opened for user davidep@adnethesis.it by (uid=0) Feb 26 09:56:15 vm9.adnethesis.it systemd-logind[3049]: New session 3 of user davidep@adnethesis.it. Feb 26 09:56:16 vm9.adnethesis.it polkitd[2896]: Registered Authentication Agent for unix-session:3 (system bus name :1.45 [cockpit-bridge], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) Feb 26 09:56:16 vm9.adnethesis.it cockpit-ws[5263]: logged in user session Feb 26 09:56:16 vm9.adnethesis.it cockpit-ws[5263]: New connection to session from 192.168.122.1 Feb 26 09:56:16 vm9.adnethesis.it dbus[2891]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus-org.freedesktop.hostname1.service' Feb 26 09:56:16 vm9.adnethesis.it systemd[1]: Starting Hostname Service... Feb 26 09:56:16 vm9.adnethesis.it dbus[2891]: [system] Successfully activated service 'org.freedesktop.hostname1' Feb 26 09:56:16 vm9.adnethesis.it systemd[1]: Started Hostname Service. Feb 26 09:56:16 vm9.adnethesis.it dbus[2891]: [system] Activating via systemd: service name='org.freedesktop.timedate1' unit='dbus-org.freedesktop.timedate1.service' Feb 26 09:56:16 vm9.adnethesis.it dbus[2891]: [system] Activating via systemd: service name='org.freedesktop.realmd' unit='realmd.service' Feb 26 09:56:16 vm9.adnethesis.it systemd[1]: Starting Realm and Domain Configuration... Feb 26 09:56:16 vm9.adnethesis.it systemd[1]: Starting Time & Date Service... Feb 26 09:56:16 vm9.adnethesis.it realmd[5295]: Loaded settings from: /usr/lib64/realmd/realmd-defaults.conf /usr/lib64/realmd/realmd-distro.conf Feb 26 09:56:16 vm9.adnethesis.it realmd[5295]: holding daemon: startup Feb 26 09:56:16 vm9.adnethesis.it realmd[5295]: starting service Feb 26 09:56:16 vm9.adnethesis.it dbus[2891]: [system] Successfully activated service 'org.freedesktop.timedate1' Feb 26 09:56:16 vm9.adnethesis.it systemd[1]: Started Time & Date Service. Feb 26 09:56:16 vm9.adnethesis.it realmd[5295]: connected to bus Feb 26 09:56:16 vm9.adnethesis.it realmd[5295]: released daemon: startup Feb 26 09:56:16 vm9.adnethesis.it dbus[2891]: [system] Successfully activated service 'org.freedesktop.realmd' Feb 26 09:56:16 vm9.adnethesis.it systemd[1]: Started Realm and Domain Configuration. Feb 26 09:56:16 vm9.adnethesis.it realmd[5295]: claimed name on bus: org.freedesktop.realmd Feb 26 09:56:16 vm9.adnethesis.it realmd[5295]: client using service: :1.48 Feb 26 09:56:16 vm9.adnethesis.it realmd[5295]: holding daemon: :1.48 Feb 26 09:56:17 vm9.adnethesis.it polkit-agent-helper-1[5294]: pam_sss(polkit-1:auth): authentication success; logname= uid=1541401112 euid=0 tty= ruser=davidep@adnethesis.it rhost= user=davidep@adnethesis.it Feb 26 09:56:17 vm9.adnethesis.it polkitd[2896]: Operator of unix-session:3 successfully authenticated as unix-user:davidep@adnethesis.it to gain ONE-SHOT authorization for action org.freedesktop.policykit.exec for unix-process:5272:197102 [cockpit-bridge] (owned by unix-user: davidep@adnethesis.it) Feb 26 09:56:17 vm9.adnethesis.it pkexec[5288]: pam_unix(polkit-1:session): session opened for user root by (uid=1541401112) Feb 26 09:56:17 vm9.adnethesis.it pkexec[5288]: davidep@adnethesis.it: Executing command [USER=root] [TTY=unknown] [CWD=/run/user/1541401112] [COMMAND=/usr/bin/cockpit-bridge --privileged]
**Ending note**
A similar error occurs if "default_domain_suffix" is not set and "use_fully_qualified_names = False".
-- Davide Principi
On Tue, Feb 26, 2019 at 10:35:55AM +0100, Davide Principi wrote:
I faced a strange behavior with cockpit login and root privilege escalation but I can't say if it's a bug or not. I hope somebody can help me and shed some light on it!
This question would probably be better answered at the freeipa-users mailing list: https://lists.fedorahosted.org/admin/lists/freeipa-users.lists.fedorahosted....
We're probably going to ask for sssd debugging information: https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html
**Steps to reproduce**
- installed centos 7 minimal and cockpit 183, realmd and deps
- joined AD (Windows Server 2012 R2) with realmd
- added "default_domain_suffix = adnethesis.it" to sssd.conf, because I'd
like to login without domain suffix
- I put "davidep@dpnet.nethesis.it" into the wheel group so it can become
root with pkexec or sudo
- At cockpit login, set "Reuse my password for privileged tasks"
The sssd.conf man page states about "default_domain_suffix":
The option allows those users to log in just with their user name without
giving a domain name as well
Good, but the line below seems to contradict it:
Please note that if this option is set all users from the primary domain
have to use their fully qualified name, e.g. user@domain.name, to log in.
...I'm not sure my expectation is correct anymore (!)
Thus just means you need to use ipauser@ipa.domain to reach IPA users.
cockpit-devel@lists.fedorahosted.org