Cockpit: User not permitted to manage servers

Created on 9 Jun 2018  路  13Comments  路  Source: cockpit-project/cockpit

Hi,

i installed cockpit few days back on several machines. On one (actually the one i want to use as main server) i cant add machines. I always get "User not permitted to manage servers" and also similar messages are available at the user management etc. I use debian 9 and of course i'm part of the sudo group, which works on the web terminal.

I could only find #3176 and saw in the release notes of v168 that this should work now. Actually i dont need to do it through the web interface at all, i mainly use it to have a comfortable overview of the different servers. Is there a way to add servers through the terminal, i couldnt find any information relating to it :(

BR,
B

All 13 comments

It should even have worked before v168, that tested for group sudo membership. Can you do admin operations on that machine, such as stopping/starting services or rebooting?

You can add remote machines programmatically or with an editor, too: https://cockpit-project.org/guide/latest/feature-machines.html

Also, while cockpit is running, can you please check ps aux | grep cockpit-bridge? There should be one instance running as your user, and one as root. If the latter doesn't exist, you can't run administrative tasks and this would explain the "permission denied" thing (before and after v168).

Ahh, the link to the guide was the one i was searching for and couldnt find it. that is what iam going to do the next days.

The problem apperently is that cockpit-bridge is not running as root. But through the cockpit terminal i'm able to run root tasks. Is this a known issue when installing it on a debian system through the repository?

Closing now, as this is quite stale, missing information. If you still have this problem and want to debug it, please follow up with the ps aux | grep cockpit-bridge and a journalctl -b output.

@martinpitt

I have the same problem here, on Ubuntu 16.04 with cockpit version 178

ps aux | grep cockpit-bridge shows
XxXxX 14877 0.3 0.0 363604 11144 ? Sl 19:15 0:01 cockpit-bridge
(The masked XxXxX is my current user name)

sudo journalctl -b |grep cockpit shows
Oct 14 19:12:17 HHHHH sudo[13608]: XxXxX : TTY=pts/8 ; PWD=/home/XxXxX ; USER=root ; COMMAND=/usr/bin/apt search cockpit Oct 14 19:12:26 HHHHH sudo[13612]: XxXxX : TTY=pts/8 ; PWD=/home/XxXxX ; USER=root ; COMMAND=/usr/bin/apt install cockpit Oct 14 19:12:29 HHHHH gnome-session[27589]: (gnome-software:27747): As-WARNING **: failed to rescan: Failed to parse /usr/share/applications/cockpit.desktop.dpkg-new file: cannot process file of type text/plain Oct 14 19:12:29 HHHHH gnome-session[27589]: (gnome-software:27747): As-WARNING **: failed to rescan: Failed to parse /usr/share/applications/cockpit.desktop file: cannot process file of type application/x-desktop Oct 14 19:12:31 HHHHH groupadd[14530]: group added to /etc/group: name=cockpit-ws, GID=129 Oct 14 19:12:31 HHHHH groupadd[14530]: group added to /etc/gshadow: name=cockpit-ws Oct 14 19:12:31 HHHHH groupadd[14530]: new group: name=cockpit-ws, GID=129 Oct 14 19:12:31 HHHHH useradd[14534]: new user: name=cockpit-ws, UID=121, GID=129, home=/, shell=/bin/false Oct 14 19:12:31 HHHHH usermod[14539]: change user 'cockpit-ws' password Oct 14 19:12:31 HHHHH chage[14544]: changed password expiry for cockpit-ws Oct 14 19:12:44 HHHHH sudo[14664]: XxXxX : TTY=pts/8 ; PWD=/home/XxXxX ; USER=root ; COMMAND=/bin/systemctl start cockpit.service Oct 14 19:12:44 HHHHH remotectl[14667]: Generating temporary certificate using: sscg --quiet --lifetime 3650 --key-strength 2048 --cert-key-file /etc/cockpit/ws-certs.d/0-self-signed.cert --cert-file /etc/cockpit/ws-certs.d/0-self-signed.cert --ca-file /etc/cockpit/ws-certs.d/0-self-signed-ca.pem --hostname HHHHH --organization 2fe1d9a7d2b448b4b6b5c5fba9667d93 --subject-alt-name localhost --subject-alt-name IP:127.0.0.1/255.255.255.255 Oct 14 19:12:44 HHHHH remotectl[14667]: Generating temporary certificate using: openssl req -x509 -days 36500 -newkey rsa:2048 -keyout /etc/cockpit/ws-certs.d/0-self-signed.ZI5CRZ.tmp -keyform PEM -nodes -out /etc/cockpit/ws-certs.d/0-self-signed.1J5CRZ.tmp -outform PEM -subj /O=2fe1d9a7d2b448b4b6b5c5fba9667d93/CN=HHHHH -config /tmp/ssl.conf.BK5CRZ -extensions v3_req Oct 14 19:12:44 HHHHH cockpit-ws[14672]: Using certificate: /etc/cockpit/ws-certs.d/0-self-signed.cert Oct 14 19:14:09 HHHHH sudo[14708]: XxXxX : TTY=pts/8 ; PWD=/home/XxXxX ; USER=root ; COMMAND=/bin/systemctl status cockpit Oct 14 19:15:46 HHHHH cockpit-ws[14866]: Using certificate: /etc/cockpit/ws-certs.d/0-self-signed.cert Oct 14 19:15:51 HHHHH cockpit-session[14871]: pam_ssh_add: Identity added: /home/XxXxX/.ssh/id_ed25519 (XxXxX@HHHHH) Oct 14 19:15:51 HHHHH cockpit-session[14871]: pam_unix(cockpit:session): session opened for user XxXxX by (uid=0) Oct 14 19:15:51 HHHHH polkitd(authority=local)[27104]: Registered Authentication Agent for unix-session:2551 (system bus name :1.1784 [cockpit-bridge], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) Oct 14 19:15:51 HHHHH cockpit-ws[14866]: logged in user session Oct 14 19:15:51 HHHHH cockpit-ws[14866]: New connection to session from 127.0.0.1 Oct 14 19:15:54 HHHHH cockpit-bridge[14877]: polkit-agent-helper-1: pam_authenticate failed: Authentication failure Oct 14 19:15:54 HHHHH polkitd(authority=local)[27104]: Operator of unix-session:2551 FAILED to authenticate to gain authorization for action org.freedesktop.policykit.exec for unix-process:14877:743430638 [cockpit-bridge] (owned by unix-user:XxXxX) Oct 14 19:15:54 HHHHH pkexec[14885]: XxXxX: Error executing command as another user: Not authorized [USER=root] [TTY=unknown] [CWD=/run/user/1001] [COMMAND=/usr/bin/cockpit-bridge --privileged] Oct 14 19:15:54 HHHHH cockpit-bridge[14877]: Error executing command as another user: Not authorized Oct 14 19:15:54 HHHHH cockpit-bridge[14877]: This incident has been reported. Oct 14 19:15:56 HHHHH cockpit-bridge[14877]: Sorry, try again. Oct 14 19:15:58 HHHHH cockpit-bridge[14877]: Sorry, try again. Oct 14 19:16:00 HHHHH sudo[14898]: XxXxX : 3 incorrect password attempts ; TTY=unknown ; PWD=/run/user/1001 ; USER=root ; COMMAND=/usr/bin/cockpit-bridge --privileged Oct 14 19:16:00 HHHHH cockpit-bridge[14877]: sudo: 3 incorrect password attempts Oct 14 19:16:00 HHHHH cockpit-bridge[14877]: No journal files were opened due to insufficient permissions. Oct 14 19:20:37 HHHHH cockpit-bridge[14877]: No journal files were opened due to insufficient permissions. Oct 14 19:20:59 HHHHH cockpit-bridge[14877]: No journal files were opened due to insufficient permissions. Oct 14 19:20:59 HHHHH cockpit-bridge[14877]: No journal files were opened due to insufficient permissions. Oct 14 19:22:52 HHHHH sudo[15083]: XxXxX : TTY=pts/18 ; PWD=/etc/systemd/system/sockets.target.wants ; USER=root ; COMMAND=/bin/journalctl -b cockpit-bridge Oct 14 19:22:56 HHHHH sudo[15085]: XxXxX : TTY=pts/18 ; PWD=/etc/systemd/system/sockets.target.wants ; USER=root ; COMMAND=/bin/journalctl -b -u cockpit-bridge Oct 14 19:22:59 HHHHH sudo[15087]: XxXxX : TTY=pts/18 ; PWD=/etc/systemd/system/sockets.target.wants ; USER=root ; COMMAND=/bin/journalctl cockpit-bridge Oct 14 19:23:17 HHHHH sudo[15125]: XxXxX : TTY=pts/18 ; PWD=/etc/systemd/system/sockets.target.wants ; USER=root ; COMMAND=/bin/journalctl -u=cockpit*

@xinyazhang : The log shows that your password was rejected by sudo. It looks like sudo was configured in a non-standard way for you so that your user password is not equal to the sudo password?

@martinpitt : sudo works fine. The suspicious part is pkexec failed to run commands as root without GUI (tried this through ssh).

However I'm not sure this is the root of the cause, since:

  1. I have a Fedora 28 workstation and cockpit works totally fine on it, even ssh+pkexec also failed there
  2. I tried to use Fedora 28's cockpit to control the Ubuntu 16.04's machine remotely. It also works pretty well.

I have the exact same problem, any update on this?

I have a question to this line of the log (from @xinyazhang's log)

Oct 14 19:16:00 HHHHH sudo[14898]:      XxXxX : 3 incorrect password attempts ; TTY=unknown ; PWD=/run/user/1001 ; USER=root ; COMMAND=/usr/bin/cockpit-bridge --privileged

what means PWD=/run/user/1001?

I have the same problem, it seems that cockpit did something wrong when try to invoke sudo.

this is the log:

Jan 13 03:32:49 server cockpit-ws[57574]: Deauthorizing session from xxx.xxx.xxx.xxx
Jan 13 03:33:00 server sudo[16453]: pam_unix(sudo:auth): authentication failure; logname=admin uid=1000 euid=0 tty= ruser=admin rhost=  user=admin
Jan 13 03:33:02 server cockpit-bridge[16063]: Sorry, try again.
Jan 13 03:33:04 server cockpit-bridge[16063]: Sorry, try again.
Jan 13 03:33:06 server sudo[16453]: admin : 3 incorrect password attempts ; TTY=unknown ; PWD=/run/user/1000 ; USER=root ; COMMAND=/usr/bin/cockpit-bridge --privileged
Jan 13 03:33:06 server cockpit-bridge[16063]: sudo: 3 incorrect password attempts
Jan 13 03:33:06 server postfix/pickup[7554]: C3EF02007F: uid=1000 from=<admin>
Jan 13 03:33:06 server postfix/cleanup[16572]: C3EF02007F: message-id=<[email protected]>
Jan 13 03:33:06 server postfix/qmgr[2176]: C3EF02007F: from=<admin@domain>, size=551, nrcpt=1 (queue active)
Jan 13 03:33:06 server postfix/local[16574]: C3EF02007F: to=<root@domain>, orig_to=<root>, relay=local, delay=0.03, delays=0.02/0/0/0.01, dsn=2.0.0, status=sent (delivered to mailbox)
Jan 13 03:33:06 server postfix/qmgr[2176]: C3EF02007F: removed

I had the exact same problem. Same output in syslog. cockpit-bridge process running for my user. It finally started working when, at the cockpit login page, I selected the "Reuse my password for privileged tasks" checkbox.

I don't know much about cockpit, but I suspect that the intent is that when the user doesn't check this box on login, that they will be prompted for their password when performing privileged operations. I never get prompted, just the silent failure.

the user doesn't check this box on login, that they will be prompted for their password when performing privileged operations

No, it doesn't do that -- if you don't check that checkbox, then you get an unprivileged interface.

We are currently working on improving this (https://github.com/cockpit-project/cockpit/wiki/Sudo--Multi-Machine-Overhaul), but for now that's the expected behaviour.

No, it doesn't do that -- if you don't check that checkbox, then you get an unprivileged interface.

Oh! The behavior makes perfect sense then. I think the language of the label on that checkbox might be a bit misleading, cause I didn't interpret it to mean that. This might explain all of the confusion in this issue from people who couldn't get it to work.

Thanks for the reply and all of your hard work on cockpit. It's pretty great.

Was this page helpful?
0 / 5 - 0 ratings