Bug 1216080

Summary: cockpit-ws: /etc/cockpit/disallowed-users is ignored
Product: [openSUSE] openSUSE Tumbleweed Reporter: Adam Majer <amajer>
Component: OtherAssignee: Cockpit Bugs <Cockpit-bugs>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P1 - Urgent CC: joe, jsegitz, robert.simai, zluo
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Adam Majer 2023-10-10 08:06:54 UTC 
This affects all cockpit versions, not just TW.

The default configuration we show in /etc/cockpit/disallowed-users,

# List of users which are not allowed to login to Cockpit
root


but this list is ignored and root can login. What is missing this in /etc/pam.d/cockpit

auth       required     pam_listfile.so item=user sense=deny file=/etc/cockpit/disallowed-users onerr=succeed

followed by rest of the file.


So we should either not ship this file, or setup pam accordingly.
Comment 3 Adam Majer 2024-03-04 15:07:05 UTC 
Fix submitted to Factory and SLEM 6.0
Comment 5 OBSbugzilla Bot 2024-03-04 15:35:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1216080) was mentioned in
https://build.opensuse.org/request/show/1154719 Factory / cockpit
Comment 6 OBSbugzilla Bot 2024-03-04 17:35:04 UTC 
This is an autogenerated message for OBS integration:
This bug (1216080) was mentioned in
https://build.opensuse.org/request/show/1154833 Factory / cockpit
Comment 7 Joachim Werner 2024-03-05 10:04:14 UTC 
This has documentation impact. At least the SLE Micro 5.5 docs explicitly mention the root option.

Also, we need to test thoroughly whether elevating privileges after logging in with a non-root account actually works as expected. I've seen issues on 5.5 with the update module not working.
Comment 8 Robert Simai 2024-03-05 10:35:07 UTC 
(In reply to Joachim Werner from comment #7)
> This has documentation impact. At least the SLE Micro 5.5 docs explicitly
> mention the root option.

Already spoke to Jana about the docs (for 6, there's no change for 5.5), they are on top of it.

> Also, we need to test thoroughly whether elevating privileges after logging
> in with a non-root account actually works as expected. I've seen issues on
> 5.5 with the update module not working.

Can you please reference these issues?
Comment 10 Joachim Werner 2024-04-19 13:43:58 UTC 
Not fixed in aarch64 6.0 RC. Opening a new bug for that.