Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Users member of the netdev group not permitted to modify network #17339

Closed
Nordal opened this issue May 12, 2022 · 7 comments
Closed

Users member of the netdev group not permitted to modify network #17339

Nordal opened this issue May 12, 2022 · 7 comments
Labels
bug page:networking

Comments

@Nordal
Copy link

Nordal commented May 12, 2022

Explain what happens

Normally users of the netdev group should be able to modify network settings. This is not the case when using cockpit.
I checked polkit, and theres even a file allowing this:

[Adding or changing system-wide NetworkManager connections]
Identity=unix-group:netdev;unix-group:sudo
Action=org.freedesktop.NetworkManager.settings.modify.system
ResultAny=no
ResultInactive=no
ResultActive=yes

The same user can modify network with nmcli

Version of Cockpit

215

Where is the problem in Cockpit?

Networking

Server operating system

Ubuntu

Server operating system version

20.04.4

What browsers are you using?

Chrome

System log

No response
@Nordal Nordal added the bug label May 12, 2022
@Nordal
Copy link
Author

Nordal commented May 12, 2022

I just tried updating to Web Console (did it change name?) 264 via backports. Still the same result.

@martinpitt
Copy link
Member

Same issue as in #11033 or #16345. Most cockpit pages don't do polkit checks.

@Nordal
Copy link
Author

Nordal commented May 13, 2022

OK, but if the networking page does not do a polkit check, why has a user, that is member of the netdev group, not permissions to modify the network settings?. (I have added renderer: NetworkManager in the netplan yaml file)

On the Privileges and Permissions page here: https://cockpit-project.org/guide/latest/privileges.html
It is stated that:
When a user is logged into Cockpit, they are logged into a normal session that has exactly the same privileges as if they logged in via SSH or on the console.

This does not seem to be correct? So if the above is the attention, what is then stopping a user in the netdev group from modifying networks via cockpit?

BR Kasper

@martinpitt
Copy link
Member

The issue is that the UI hides the privileged operations if you are not in "admin" (i.e. sudo) mode. The UI only knows about "unprivileged user" and "root through sudo", which is reflected by the "Limited access" vs. "Administrative access" indicator in the panel. So while the session would have the privilege to do (certain) network operations, the UI doesn't know that.

@Nordal
Copy link
Author

Nordal commented May 14, 2022

So, if i want a user only to be able to modify the network, and nothing else, how should i do that?
I tried to add a sudoers entry like this: username ALL=/usr/sbin/NetworkManager
This did not change anything.
It seems that it is not possible to have a restricted user doing anything unless they have full sudo access, which is not acceptable in my case?

@martinpitt
Copy link
Member

@Nordal : Sorry, you can't do this with cockpit right now.

Please don't allow sudo access to NetworkManager - that's the system service, controlled by the systemd unit. Humans should not run this.

Closed
@KKoukiou
Copy link
Contributor

Closing in favor of the more generic issue #17346

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug page:networking
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@martinpitt @Nordal @KKoukiou