Is it possible to grant selective Administrative access in cockpit ?
Environment
- Red Hat Enterprise Linux (All Versions)
Issue
- Can we control the non-root users permission access at granular level in cockpit ?
Abilities we want to allow user :-
Systems Tab:
Rebooting Server
Logs Tab:
Access to system logs
Networking Tab:
Network Metrics
Services Tab:
Ability to start and stop services
Diagnostic Reports Tab:
Create Diagnostic Reports
Subscriptions Tab:
Ability to see the status of subscriptions
Abilities that we need to not allow to users :-
System Tab:
Not allow setting date and time
No ability to change Performance Profile
No ability to shutdown server
Networking Tab:
No access to start or stop firewall
No ability to add firewall rules
No ability to add bonds
No ability to add teams
No ability to add bridges
No ability to add vlans
No ability to edit interfaces
Accounts Tab:
No access
Services Tab:
No ability to change the automatic startup option
Kernel Dump Tab:
No ability to edit configuration
SELinux Tab:
No Access
Subscriptions Tab:
No ability to unregister
Terminal Tab:
No Access
Resolution
- On allowing sudo access to cockpit-bridge for non-root user, is equivalent to full root access. It's the moral equivalent of allowing access to "bash".
- It would not help you to do partial privileges (selective privileges) -- these simply don't work with current Cockpit
Root Cause
- If you can get root privileges through sudo, you can't restrict your privileges afterwards. For that you need systems like SELinux or RSBAC.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments