Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sudoers based authorizations for Cockpit UI #5805

Open
stephdl opened this issue Aug 19, 2019 · 5 comments

Comments

@stephdl
Copy link

commented Aug 19, 2019

Role delegations in cockpit are based on a roles.json file which describes what route is available, this could be enhanced from a security perspective view.

Proposed solution

I propose to store the routes permission inside the esmith database configuration (only root accessible), expand from it the sudoers.d/file to allow the user to use the needed API, then read delegation from sudo -ll -U username inside system-authorization/read

Alternative solution

The proposed solution is consistent with the current sudoers configuration used by Nethgui in NS7. It is quite verbose from a developer perspective but enables a fine-grained sudo-based API access control.

An alternative (and radical) approach, could be granting wheel-like access to any user who requires special access to the UI. Only at UI level, unauthorized modules are hidden. At the API level access is always granted by wheel-like permissions.

This solution does not rely on sudo for individual API calls, we can remove them from the code completely. It relies on Cockpit privilege escalation only (i.e. the "privileged" checkbox at cockpit login).

Development documentation

Implementors have to follow the updated documentation from nethserver-cockpit sudoers_wo_json branch:

https://github.com/NethServer/nethserver-cockpit/blob/sudoers_wo_json/docs/docs/authorizations.md

Dependant packages

  • Follow the development documentation
  • Open a PR and add the reference to this issue NethServer/dev#5805
  • Tick the checkbox below when the PR is ready for review

This is the list of (known) dependant packages that needs to be fixed.


Thank to @DavidePrincipi for ideas and all his works

@DavidePrincipi DavidePrincipi added this to ✋ Needs review in NethServer 7 via automation Aug 19, 2019

@DavidePrincipi DavidePrincipi moved this from ✋ Needs review to ⚙ Developing in NethServer 7 Aug 19, 2019

@DavidePrincipi DavidePrincipi added this to To do in Cockpit via automation Aug 19, 2019

@DavidePrincipi DavidePrincipi moved this from To do to In progress in Cockpit Aug 19, 2019

@DavidePrincipi DavidePrincipi self-assigned this Aug 21, 2019

@DavidePrincipi

This comment has been minimized.

@DavidePrincipi DavidePrincipi changed the title Cockpit: roles delegation from sudo permissions Sudoers based authorizations for Cockpit UI Aug 21, 2019

@DavidePrincipi DavidePrincipi added this to the 7.7.1908 milestone Aug 22, 2019

@DavidePrincipi

This comment has been minimized.

Copy link
Member

commented Aug 22, 2019

Added alternative solution to issue description

The alternative solution could be an idea for NS8!

@DavidePrincipi

This comment has been minimized.

Copy link
Member

commented Aug 23, 2019

QA note

Group names containing space minus - and underscore _ must be accepted

/cc @edospadoni

@stephdl

This comment has been minimized.

Copy link
Author

commented Aug 26, 2019

I cannot reproduce, group name with '-' or '_' doesn't break sudoers files, login and delegation are workable. For the records my tests were with nethserver-directory

[root@ns7loc14 ~]# rpm -qa | grep -i nethserver-cockpit
nethserver-cockpit-lib-0.11.0-1.56.pr117.g94909cc.ns7.noarch
nethserver-cockpit-0.11.0-1.56.pr117.g94909cc.ns7.noarch
  • '_'
%plop_plip ALL=NOPASSWD: NSAPI_NETHSERVER_FIREWALL_BASE, NSAPI_PUBLIC, NSAPI_SYSTEM_DISK_USAGE, NSAPI_SYSTEM_SERVICES, NSAPI_SYSTEM_SUBSCRIPTION
visudo -c
/etc/sudoers.d/50_nsapi: parsed OK
/etc/sudoers.d/55_nsapi_perms: parsed OK
  • '-'
%plop-plip ALL=NOPASSWD: NSAPI_NETHSERVER_FIREWALL_BASE, NSAPI_PUBLIC, NSAPI_SYSTEM_DISK_USAGE, NSAPI_SYSTEM_SERVICES, NSAPI_SYSTEM_SUBSCRIPTION
visudo -c
/etc/sudoers.d/50_nsapi: parsed OK
/etc/sudoers.d/55_nsapi_perms: parsed OK
@edospadoni

This comment has been minimized.

Copy link
Member

commented Aug 26, 2019

The problem is:

  • Cmnd_Alias ASD-ZXC =/usr/libexec/nethserver/api/system-*/read, then
  • %asd-zxc ALL=NOPASSWD: ASD-ZXC

If the name of the alias contains -, the sudoers syntax is broken. The new implementation of delegations should fix the problem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.