Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Sudoers based authorizations for Cockpit UI #5805
Role delegations in cockpit are based on a
I propose to store the routes permission inside the esmith database configuration (only root accessible), expand from it the sudoers.d/file to allow the user to use the needed API, then read delegation from
The proposed solution is consistent with the current sudoers configuration used by Nethgui in NS7. It is quite verbose from a developer perspective but enables a fine-grained sudo-based API access control.
An alternative (and radical) approach, could be granting wheel-like access to any user who requires special access to the UI. Only at UI level, unauthorized modules are hidden. At the API level access is always granted by wheel-like permissions.
This solution does not rely on sudo for individual API calls, we can remove them from the code completely. It relies on Cockpit privilege escalation only (i.e. the "privileged" checkbox at cockpit login).
Implementors have to follow the updated documentation from nethserver-cockpit
This is the list of (known) dependant packages that needs to be fixed.
Thank to @DavidePrincipi for ideas and all his works
Updated issue description:
I cannot reproduce, group name with '-' or '_' doesn't break sudoers files, login and delegation are workable. For the records my tests were with nethserver-directory