How to use dzdo instead of sudo for privilege escalation? #20654
-
At my company, we use Centrify (now Delinea) DirectControl to integrate our *nix systems with Active Directory. Centrify comes with a program called dzdo, which is a drop-in replacement for sudo. The difference between the two is that dzdo keeps all its configuration in Active Directory instead of local configuration files. Is there a way to configure Cockpit to use dzdo instead of sudo, short of doing a global find-and-replace against the entire code base? I can't just remove sudo from our systems, because we have other tools that require it. I haven't found anything on Google. I know I can use polkit in place of sudo, but polkit would require a lot of extra configuration, and dzdo is already perfectly configured exactly the way we need it. Thank you. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 5 replies
-
This has actually come up before, and we don't actually hardcode "sudo" in the code -- it's declared in the shell manifest. #17536 implemented support for alternative authentication methods. You can create a manifest override to declare another "privileged bridge". It's unfortunately not documented well, but you can create a file /etc/cockpit/shell.override.json with something like {
"bridges": [
{
"privileged": true,
"label": "dzdo",
"spawn": [
"dzdo", "--some-option", "cockpit-bridge", "--privileged"
]
}
]
} Look at the existing sudo/polkit declarations for inspiration. |
Beta Was this translation helpful? Give feedback.
This has actually come up before, and we don't actually hardcode "sudo" in the code -- it's declared in the shell manifest.
#17536 implemented support for alternative authentication methods. You can create a manifest override to declare another "privileged bridge". It's unfortunately not documented well, but you can create a file /etc/cockpit/shell.override.json with something like
Look at the existing sudo/polkit declarations for inspiration.