cockpit-bridge

List all cockpit packages

$ cockpit-bridge --packages

$ cockpit-bridge --help

This command is primarily an internal utility invoked by Cockpit components, not for direct user execution.
Its typical invocation is orchestrated by cockpit-ws or systemd-logind.

cockpit-bridge [OPTIONS]

--version
    Prints the version of the cockpit-bridge component and exits.

--help
    Displays a brief help message explaining available options.

--privileged
    Starts the bridge process with elevated privileges, typically invoked via sudo rules for specific tasks that require root access (e.g., managing storage or networking). This is a critical internal flag for privileged operations.

--log-level=LEVEL
    Sets the logging verbosity. LEVEL can be debug, info, warning, error, or critical. Useful for troubleshooting.

--user=USERNAME
    Runs the bridge process as a specific user. Primarily used internally when the web service needs to act on behalf of a particular user.

--shell
    Starts an interactive shell instead of the RPC protocol, primarily used for debugging.

The cockpit-bridge command is an internal component of the Cockpit web console for managing Linux systems. It acts as a crucial bridge between the unprivileged Cockpit web service (cockpit-ws) and the underlying operating system services and commands.

Its primary role is to execute system commands and retrieve information on behalf of a logged-in user, often requiring elevated privileges. cockpit-bridge leverages mechanisms like Polkit or sudo to securely gain necessary permissions, ensuring that Cockpit can perform administrative tasks without the entire web service running as root.

It communicates with cockpit-ws over standard input/output using a simple RPC-like protocol. Users typically do not invoke cockpit-bridge directly from the command line; it is started automatically by Cockpit when a user logs in.

The cockpit-bridge command is an internal implementation detail of the Cockpit project. It is not intended for direct manual invocation by users from the command line, as doing so inappropriately could lead to security risks or unexpected system behavior. Its security model relies on careful integration with Polkit and sudo for privilege escalation and authorization checks. Misconfiguring Cockpit's access controls, or manually invoking cockpit-bridge with incorrect privileges, could compromise system security.

The security of Cockpit heavily relies on cockpit-bridge's design. When a user authenticates to Cockpit, cockpit-ws starts a cockpit-bridge process for that user. This bridge process typically runs as the logged-in user. For tasks requiring elevated privileges (e.g., installing software, managing system services), cockpit-bridge uses Polkit policies or sudo rules to execute specific commands as root or with other necessary permissions. This ensures that only authorized operations are performed, and only for the duration required, limiting the attack surface compared to a monolithic privileged application.

cockpit-bridge communicates with cockpit-ws (the web service) over standard input (stdin) and standard output (stdout) using a lightweight, JSON-based RPC (Remote Procedure Call) protocol. This allows Cockpit's JavaScript frontend to make requests to the system, which are then relayed through cockpit-ws to the specific cockpit-bridge process, executed, and results are sent back through the same channels. This simple yet effective inter-process communication mechanism underpins Cockpit's interactivity.

cockpit-bridge is an integral part of the Cockpit project, which was initiated by Red Hat in 2014. From its inception, Cockpit was designed to be a secure, web-based interface for managing Linux systems, and the bridge component was crucial to achieving this. The development focused on creating a robust security model where the privileged operations are isolated and handled by a separate, minimal process (cockpit-bridge), rather than having the entire web server run with root privileges. This design principle has been a cornerstone of Cockpit's security architecture since its early days, evolving with system technologies like Polkit for fine-grained authorization.

cockpit(1), cockpit-ws(8), polkit(8), sudo(8), systemd(1)