cockpit-doc 164-1 / usr / share / doc / cockpit / guide / privileges.html

This file is indexed.

/usr/share/doc/cockpit/guide/privileges.html is in cockpit-doc 164-1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Privileges and Permissions</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
<link rel="home" href="index.html" title="Cockpit Guide">
<link rel="up" href="guide.html" title="Part I. Deployment Guide">
<link rel="prev" href="sso.html" title="Single Sign On">
<link rel="next" href="features.html" title="Part II. Feature Internals">
<link rel="stylesheet" href="style.css" type="text/css">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<table class="navigation" id="top" width="100%" summary="Navigation header" cellpadding="2" cellspacing="2"><tr valign="middle">
<td><a accesskey="p" href="sso.html"><img src="left.png" width="24" height="24" border="0" alt="Prev"></a></td>
<td><a accesskey="u" href="guide.html"><img src="up.png" width="24" height="24" border="0" alt="Up"></a></td>
<td><a accesskey="h" href="index.html"><img src="home.png" width="24" height="24" border="0" alt="Home"></a></td>
<th width="100%" align="center">Cockpit Guide</th>
<td><a accesskey="n" href="features.html"><img src="right.png" width="24" height="24" border="0" alt="Next"></a></td>
</tr></table>
<div class="chapter">
<div class="titlepage"><div><div><h2 class="title">
<a name="privileges"></a>Privileges and Permissions</h2></div></div></div>
<div class="toc"><dl class="toc"><dt><span class="section"><a href="privileges.html#privileges-polkit">Customizing Polkit Privileges</a></span></dt></dl></div>
<p>When a user is logged into Cockpit, they are logged into a normal session
    that has exactly the same privileges as if they logged in via SSH or on
    the console.</p>
<p>In some cases Cockpit will try to escalate the privileges of the user
    using <a class="ulink" href="http://www.freedesktop.org/wiki/Software/polkit/" target="_top">Policy Kit</a>
    or <a class="ulink" href="http://www.sudo.ws/" target="_top">sudo</a>. If the user is able to escalate
    privileges from the command line, then Cockpit will use that same capability to
    perform certain privileged tasks.</p>
<p>Cockpit can use the user's login password internally to escalate privileges
    in these situations. By selecting the
    <span class="emphasis"><em>Reuse my password for privileged tasks</em></span> option on the login screen
    the login password will be cached internally and passed to <span class="emphasis"><em>Policy Kit</em></span>
    when requested in order to escalate privileges.</p>
<p>To test out whether Cockpit can escalate privileges, you can run these commands
    from a the <a class="link" href="feature-terminal.html" title="Terminal">terminal built into Cockpit</a>.</p>
<pre class="programlisting">
$ sudo cockpit-bridge
...
$ pkexec cockpit-bridge
...
</pre>
<p>If either of these commands succeed without prompting for a password,
    Cockpit will be able to start a privileged copy of the
    <code class="filename">cockpit-bridge</code> and use it to perform privileged tasks
    when necessary.</p>
<p>Usually a user needs to be in the <code class="code">wheel</code> Unix user group for the
    user to be able to escalate privileges in this way. However both Policy Kit and
    sudo may be configured to use other criteria.</p>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="privileges-polkit"></a>Customizing Polkit Privileges</h2></div></div></div>
<p>Services like <a class="ulink" href="http://www.freedesktop.org/wiki/Software/systemd/" target="_top">systemd</a>
      and <a class="ulink" href="https://wiki.gnome.org/Projects/NetworkManager" target="_top">NetworkManager</a> use
      <a class="ulink" href="http://www.freedesktop.org/wiki/Software/polkit/" target="_top">Polkit</a> to
      validate and escalate privileges. It is possible to customize these rules with files
      in <code class="filename">/etc/polkit-1/rules.d</code>.</p>
<p>Polkit rules files are
      <a class="ulink" href="https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html" target="_top">javascript with specific methods and objects</a>. For example, placing the following polkit rule to
      <code class="filename">/etc/polkit-1.rules.d/10-operators.rule</code> allows all users in the
      <code class="code">operators</code> group to start, stop, restart and otherwise manage systemd services:</p>
<pre class="programlisting">
polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.systemd1.manage-units") {
        if (subject.isInGroup("operators")) {
            return polkit.Result.YES;
        }
    }
});
</pre>
<p>In order to allow a certain group to perform any administrative action you could add
      a rule like this:</p>
<pre class="programlisting">
polkit.addAdminRule(function(action, subject) {
    return ["unix-group:operators"];
});
</pre>
</div>
</div>
<div class="footer"><hr></div>
</body>
</html>

APT Browse - Built by Thomas Orozco.