Admins group cannot list applications

cockpit

(Stéphane de Labrusse) #1

cc @giacomo cc @edoardo_spadoni

# id plop uid=1001(plop@nethservertest.org) gid=1000(locals@nethservertest.org) groups=1000(locals@nethservertest.org),1003(admins@nethservertest.org)

the user plop is member of the group admins@nethservertest.org, with the trick at `admins` group instead of `domain admins` I am root or equivalent (I can create, modify user and group, install software…) but I cannot list applications in the application menu(no application). It is the same for the auditors group.

of course applications are installed

# echo '{"action": "list"}'| /usr/libexec/nethserver/api/system-apps/read  |jq
[
  {
    "icon": "legacy.png",
    "name": "Subscription",
    "release": {
      "version": "legacy"
    },
    "description": "-",
    "legacy": 1,
    "editable": 0,
    "url": "Subscription",
    "id": "nethserver-subscription",
    "shortcut": 0
  },
  {
    "icon": "legacy.png",
    "name": "Diagtools",
    "release": {
      "version": "legacy"
    },
    "description": "-",
    "legacy": 1,
    "editable": 0,
    "url": "DiagTools",
    "id": "nethserver-diagtools",
    "shortcut": 0
  },
  {
    "icon": "legacy.png",
    "name": "Restore data",
    "release": {
      "version": "legacy"
    },
    "description": "-",
    "legacy": 1,
    "editable": 0,
    "url": "RestoreData",
    "id": "nethserver-restore-data",
    "shortcut": 0
  },
  {
    "icon": "legacy.png",
    "name": "Cgp",
    "release": {
      "version": "legacy"
    },
    "description": "-",
    "legacy": 1,
    "editable": 0,
    "url": "CGP",
    "id": "nethserver-cgp",
    "shortcut": 0
  }
]

What I did wrong ?

# cat /etc/nethserver/cockpit/authorization/roles.json
{
  "admins": {
    "system": [
      "storage",
      "disk-usage",
      "certificates",
      "backup",
      "dns",
      "dhcp",
      "services",
      "users-groups",
      "network",
      "ssh",
      "tls-policy",
      "trusted-networks",
      "logs",
      "applications",
      "software-center",
      "subscription",
      "terminal"
    ],
    "applications": [ "nethserver-cgp","nethserver-diagtools" ]
  },
  "managers": {
    "system": [
      "services",
      "users-groups"
    ],
    "applications": []
  },
"auditors":
{
   "system": [ "ssh" ],
   "applications": [ "nethserver-cgp" ]
}
}

(Stéphane de Labrusse) #2

probably related, first I restarted cocpit like you see in the log traces, then I went to the applications menu

Jan  2 22:28:45 ns7loc14 systemd: Starting Cockpit Web Service...
Jan  2 22:28:45 ns7loc14 remotectl: /usr/bin/chcon: can't apply partial context to unlabeled file ‘/etc/cockpit/ws-certs.d/99-nethserver.cert’
Jan  2 22:28:45 ns7loc14 remotectl: remotectl: couldn't change SELinux type context 'etc_t' for certificate: /etc/cockpit/ws-certs.d/99-nethserver.cert: Child process exited with code 1
Jan  2 22:28:45 ns7loc14 systemd: Started Cockpit Web Service.
Jan  2 22:28:45 ns7loc14 cockpit-ws: Using certificate: /etc/cockpit/ws-certs.d/99-nethserver.cert
Jan  2 22:29:01 ns7loc14 cockpit-session: pam_ssh_add: Failed adding some keys
Jan  2 22:29:01 ns7loc14 systemd: Created slice User Slice of plop@nethservertest.org.
Jan  2 22:29:01 ns7loc14 systemd-logind: New session 7 of user plop@nethservertest.org.
Jan  2 22:29:01 ns7loc14 systemd: Started Session 7 of user plop@nethservertest.org.
Jan  2 22:29:02 ns7loc14 cockpit-ws: logged in user session
Jan  2 22:29:02 ns7loc14 cockpit-bridge: invalid or unusable locale: fr.UTF-8
Jan  2 22:29:03 ns7loc14 cockpit-ws: New connection to session from 192.168.56.1
Jan  2 22:29:04 ns7loc14 dbus[2797]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus-org.freedesktop.hostname1.service'
Jan  2 22:29:04 ns7loc14 systemd: Starting Hostname Service...
Jan  2 22:29:04 ns7loc14 dbus[2797]: [system] Successfully activated service 'org.freedesktop.hostname1'
Jan  2 22:29:04 ns7loc14 systemd: Started Hostname Service.
Jan  2 22:29:06 ns7loc14 dbus[2797]: [system] Activating via systemd: service name='org.freedesktop.timedate1' unit='dbus-org.freedesktop.timedate1.service'
Jan  2 22:29:06 ns7loc14 systemd: Starting Time & Date Service...
Jan  2 22:29:06 ns7loc14 dbus[2797]: [system] Successfully activated service 'org.freedesktop.timedate1'
Jan  2 22:29:06 ns7loc14 systemd: Started Time & Date Service.
Jan  2 22:29:06 ns7loc14 cockpit-bridge: cannot reauthorize identity(s): unix-user:root 
Jan  2 22:29:06 ns7loc14 cockpit-bridge: Error executing command as another user: Not authorized
Jan  2 22:29:06 ns7loc14 cockpit-bridge: This incident has been reported.
Jan  2 22:29:06 ns7loc14 dbus[2797]: [system] Activating via systemd: service name='org.freedesktop.realmd' unit='realmd.service'
Jan  2 22:29:06 ns7loc14 systemd: Starting Realm and Domain Configuration...
Jan  2 22:29:06 ns7loc14 dbus[2797]: [system] Successfully activated service 'org.freedesktop.realmd'
Jan  2 22:29:06 ns7loc14 systemd: Started Realm and Domain Configuration.
Jan  2 22:29:06 ns7loc14 cockpit-bridge: We trust you have received the usual lecture from the local System
Jan  2 22:29:06 ns7loc14 cockpit-bridge: Administrator. It usually boils down to these three things:
Jan  2 22:29:06 ns7loc14 cockpit-bridge: #1) Respect the privacy of others.
Jan  2 22:29:06 ns7loc14 cockpit-bridge: #2) Think before you type.
Jan  2 22:29:06 ns7loc14 cockpit-bridge: #3) With great power comes great responsibility.
Jan  2 22:29:08 ns7loc14 cockpit-bridge: Sorry, try again.
Jan  2 22:29:10 ns7loc14 cockpit-bridge: Sorry, try again.
Jan  2 22:29:12 ns7loc14 cockpit-bridge: sudo: 3 incorrect password attempts

`admins` group instead of `domain admins`
(Giacomo Sanchietti) #3

The sudo configuration is wrong, you need to add the !requiretty option.

Also, try to execute /usr/libexec/nethserver/api/system-authorization/read with the logged users to see what are the authorizations.