cockpit icon indicating copy to clipboard operation
cockpit copied to clipboard

Published 20 hours ago verified publisher icon cockpit-project

Setting sudo iolog_dir seems to break privilege escalation in Cockpit

Open jabofh opened this issue 2 years ago • 0 comments

Explain what happens

  1. Configure sudo IO Logging to files (please see example below),
  2. You will likely see "Cockpit-bridge: recvmsg(stdin) failed: Socket operation on non-socket" when you attempt to switch to administrative access,
  3. Disable IO Logging,
  4. Switching to administrative access succeeds.

Example /etc/sudoers.d/wheel file:

Defaults log_host
Defaults iolog_dir=/var/log/sudo-io

# Members of the admin group may gain root privileges
%wheel ALL=(ALL) LOG_OUTPUT:LOG_INPUT: ALL

# prevent recursive logging
%wheel ALL=(ALL) NOLOG_OUTPUT:NOLOG_INPUT: /usr/bin/sudoreplay

Version of Cockpit

264.1

Where is the problem in Cockpit?

No response

Server operating system

other

Server operating system version

AlmaLinux 8.6

What browsers are you using?

Firefox, Safari macOS

System log

-- Logs begin at Sun 2022-05-15 10:01:34 SAST, end at Tue 2022-05-31 21:55:25 SAST. --
May 31 21:05:57 base.damn.org.za systemd[1]: Starting PackageKit Daemon...
May 31 21:05:57 base.damn.org.za dbus-daemon[902]: [system] Rejected send message, 1 matched rules; type="method_call", sender=":1.8419" (uid=1000 pid=37932 comm="cockpit-bridge " label="unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023") interface="org.freedesktop.DBus.Properties" member="GetAll" error name="(unset)" requested_reply="0" destination="org.fedoraproject.Setroubleshootd" (uid=996 pid=37928 comm="/usr/libexec/platform-python -Es /usr/sbin/setroub" label="system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023")
May 31 21:05:57 base.damn.org.za dbus-daemon[902]: [system] Rejected send message, 1 matched rules; type="method_call", sender=":1.8419" (uid=1000 pid=37932 comm="cockpit-bridge " label="unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023") interface="org.freedesktop.DBus.Properties" member="GetAll" error name="(unset)" requested_reply="0" destination="org.fedoraproject.Setroubleshootd" (uid=996 pid=37928 comm="/usr/libexec/platform-python -Es /usr/sbin/setroub" label="system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023")
May 31 21:05:57 base.damn.org.za PackageKit[37996]: daemon start
May 31 21:05:58 base.damn.org.za dbus-daemon[902]: [system] Successfully activated service 'org.fedoraproject.SetroubleshootFixit'
May 31 21:05:58 base.damn.org.za dbus-daemon[902]: [system] Successfully activated service 'org.freedesktop.PackageKit'
May 31 21:05:58 base.damn.org.za systemd[1]: Started PackageKit Daemon.
May 31 21:05:58 base.damn.org.za dbus-daemon[902]: [system] Rejected send message, 1 matched rules; type="method_call", sender=":1.8419" (uid=1000 pid=37932 comm="cockpit-bridge " label="unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023") interface="org.freedesktop.DBus.Properties" member="GetAll" error name="(unset)" requested_reply="0" destination="org.fedoraproject.SetroubleshootFixit" (uid=0 pid=37997 comm="/usr/libexec/platform-python -Es /usr/share/setrou" label="system_u:system_r:setroubleshoot_fixit_t:s0-s0:c0.c1023")
May 31 21:05:58 base.damn.org.za dbus-daemon[902]: [system] Rejected send message, 1 matched rules; type="method_call", sender=":1.8419" (uid=1000 pid=37932 comm="cockpit-bridge " label="unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023") interface="org.freedesktop.DBus.Properties" member="GetAll" error name="(unset)" requested_reply="0" destination="org.fedoraproject.SetroubleshootFixit" (uid=0 pid=37997 comm="/usr/libexec/platform-python -Es /usr/share/setrou" label="system_u:system_r:setroubleshoot_fixit_t:s0-s0:c0.c1023")
May 31 21:05:59 base.damn.org.za dbus-daemon[902]: [system] Activating via systemd: service name='com.redhat.RHSM1' unit='rhsm.service' requested by ':1.8423' (uid=1000 pid=37932 comm="cockpit-bridge " label="unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023")
May 31 21:05:59 base.damn.org.za systemd[1]: Starting RHSM dbus service...
May 31 21:06:02 base.damn.org.za dbus-daemon[902]: [system] Successfully activated service 'com.redhat.RHSM1'
May 31 21:06:02 base.damn.org.za systemd[1]: Started RHSM dbus service.
May 31 21:06:04 base.damn.org.za PackageKit[37996]: uid 1000 is trying to obtain org.freedesktop.packagekit.system-sources-refresh auth (only_trusted:0)
May 31 21:06:04 base.damn.org.za polkitd[905]: Operator of unix-session:10 FAILED to authenticate to gain authorization for action org.freedesktop.packagekit.system-sources-refresh for system-bus-name::1.8423 [cockpit-bridge] (owned by unix-user:eroux)
May 31 21:06:04 base.damn.org.za PackageKit[37996]: uid 1000 failed to obtain auth

jabofh avatar May 31 '22 19:05 jabofh