Permissions check for Firewall rely on pkcheck; fall back to root check

[ancorgs]

Explain what happens

If the firewalld configuration is considered to be read-only, then the interface does not allow the authenticated user to start/stop the Firewall or to modify the zones. That's good, but I think the check for read-only needs to be improved.

It's done by executing the command pkcheck --action-id org.fedoraproject.FirewallD1.all --process $$ --allow-user-interaction (see here), which needs polkit to be installed. So no PolicyKit -> no pkcheck -> no firewall configuration.

In a system in which polkit is not installed, it should still be possible to manage the firewall if you log into Cockpit as root. I did a test in such a system just hacking Cockpit to remove the pkcheck call and it certainly worked. So PolicyKit is not really a requirement to manage Firewalld from Cockpit (at least with a privileged user).

I just saw #11033 which states the check done by the Firewall page should be adopted everywhere. Please, improve the Firewall check first. Adopting it everywhere in its current form would make Cockpit totally dependent on polkit.

Version of Cockpit

271

Where is the problem in Cockpit?

Firewall

Server operating system

openSUSE

Server operating system version

ALP

What browsers are you using?

Firefox

System log

No response

[martinpitt]

You are right -- let's fall back to our usual root permission check, and add a recommends/suggests for pkcheck. Thanks for the report!