Question: Is it possible to grant selective Administrative access?

[SansVgy]

I'm new to Cockpit and I'm trying to customize it for different admin levels, implementing a certain amount of granularity in permissions. The goal is to grant subadmin groups selective permissions to Cockpit's pages (much in the same way as can be done with sudo), or at least restrict some of them even if the user is in Administrative access mode.

For instance, let's say we have the group accountoperators and allow them to manage (create/delete) user accounts by granting them privileges to run /sbin/useradd and /sbin/userdel in sudoers.
As it turns out, this is not enough to grant them Administrative access to the Cockpit Accounts Page - to do that I have to grant them sudo privileges for /bin/cockpit-bridge. This gives the users administrative access to all Cockpit pages including some they're not supposed to run, for instance Services.

I've tried to deny them access with a custom polkit rule based on the last example given on

https://cockpit-project.org/guide/latest/feature-systemd.html

polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.systemd1.manage-units") {
        if (subject.isInGroup("accountoperators")) {
            var verb = action.lookup("verb");
            if (verb == "start" || verb == "stop" || verb == "restart") {
                return polkit.Result.NO;
            }
        }
    }
});

but this seems to be ignored by Cockpit which makes me assume that cockpit-bridge has an "all or nothing" approach to access rights. Is there a way to achieve selective Administrative access for different admin groups or am I fighting a loosing battle here?

[martinpitt]

Using polkit rules to grant non-admin users additional privileges is generally right (that's the main purpose of polkit, after all). The problem is just that most cockpit pages are not expecting that -- they just check if the user can become root (via sudo), but almost all pages don't try to do an administrative action as normal user. (The only exception is the firewall page).

In many cases that's not even possible. E.g. the Accounts page calls programs like useradd or passwd, which don't support polkit. This is only possible for D-Bus APIs such as systemd. Specifically for the Services page we already have issue #16345 for that.

or at least restrict some of them even if the user is in Administrative access mode.

That isn't possible in Linux (not specific to Cockpit). If you can get root privileges through sudo, you can't restrict your privileges afterwards. For that you need systems like SELinux or RSBAC.

So this is by and large a duplicate of #16345.

[knacky34]

If you have some experience with SELinux, could you explain the principle to restrict user privilege after sudo was used?
I think I understood the basics of SELinux but I don't know how to apply it to this issue.

[doubleopinter]

Interesting, I kind of have a related question. I'd like to give a user only access to changing the network settings. Is that possible?

[martinpitt]

Again, technically yes (it's a polkit controlled D-Bus service), but Cockpit's UI does not check that.