How to use dzdo instead of sudo for privilege escalation?

[jmblanton]

At my company, we use Centrify (now Delinea) DirectControl to integrate our *nix systems with Active Directory. Centrify comes with a program called dzdo, which is a drop-in replacement for sudo. The difference between the two is that dzdo keeps all its configuration in Active Directory instead of local configuration files. Is there a way to configure Cockpit to use dzdo instead of sudo, short of doing a global find-and-replace against the entire code base? I can't just remove sudo from our systems, because we have other tools that require it. I haven't found anything on Google. I know I can use polkit in place of sudo, but polkit would require a lot of extra configuration, and dzdo is already perfectly configured exactly the way we need it.

Thank you.

[martinpitt]

This has actually come up before, and we don't actually hardcode "sudo" in the code -- it's declared in the shell manifest.

#17536 implemented support for alternative authentication methods. You can create a manifest override to declare another "privileged bridge". It's unfortunately not documented well, but you can create a file /etc/cockpit/shell.override.json with something like

{
  "bridges": [
    {
      "privileged": true,
      "label": "dzdo",
      "spawn": [
        "dzdo", "--some-option", "cockpit-bridge", "--privileged"
      ]
    }
  ]
}

Look at the existing sudo/polkit declarations for inspiration.

[jmblanton]

That worked!

For future reference, here's what I did:

1. Copy /usr/share/cockpit/shell/manifest.json to /etc/cockpit/shell.override.json
2. Delete all the sections in /etc/cockpit/shell.override.json except the bridges section.
3. Leave the existing bridges in place in case they're needed later.
4. Copy the sudo stanza and change sudo to dzdo. My company has dzdo configured to not prompt for a password, so I removed the environ block and the -k and -A options. Since dzdo is configured to be a drop-in replacement for sudo, I could have copied the sudo block verbatim and just replaced "sudo" with "dzdo". The final file looks like this:

{
    "bridges": [
        {
            "label": "dzdo",
            "privileged": true,
            "spawn": [
                "dzdo",
                "cockpit-bridge",
                "--privileged"
            ]
        },
        {
            "label": "sudo"
            // sudo details ommitted because they're unchanged from manifest.json
        },
        {
            "label": "pkexec"
            // pkexec details ommitted because they're unchanged from manifest.json
        }
    ]
}

5. My changes didn't work at first because I omitted the label from the bridges. Without labels, cockpit continued to use sudo. I watched the video and found out labels were necessary. Once I added them, I was able to choose which privilege execution method to use.

Thank you for your help!

[martinpitt]

Great!

[martinpitt]

@jmblanton BTW, you can drop the sudo and pkexec entries if you know that they won't work/you don't want to use them anyway.

[jmblanton]

Thank you. I was afraid to remove those entries for fear of breaking something. But I tried removing them, and it still works. And now Cockpit doesn't ask me which privilege escalation method I want to use.

[martinpitt]

Right, that was the idea. If there is just one config, it doesn't have to.