|  |  |  | Cockpit Guide |  | 
|---|
When a user is logged into Cockpit, they are logged into a normal session that has exactly the same privileges as if they logged in via SSH or on the console.
In some cases Cockpit will try to escalate the privileges of the user using Policy Kit or sudo. If the user is able to escalate privileges from the command line, then Cockpit will use that same capability to perform certain privileged tasks.
Cockpit can use the user's login password internally to escalate privileges in these situations. By selecting the Reuse my password for privileged tasks option on the login screen the login password will be cached internally and passed to Policy Kit when requested in order to escalate privileges.
To test out whether Cockpit can escalate privileges, you can run these commands from a the terminal built into Cockpit.
$ sudo cockpit-bridge ... $ pkexec cockpit-bridge ...
If either of these commands succeed without prompting for a password,
    Cockpit will be able to start a privileged copy of the
    cockpit-bridge and use it to perform privileged tasks
    when necessary.
Usually a user needs to be in the wheel Unix user group for the
    user to be able to escalate privileges in this way. However both Policy Kit and
    sudo may be configured to use other criteria.
Services like systemd
      and NetworkManager use
      Polkit to
      validate and escalate privileges. It is possible to customize these rules with files
      in /etc/polkit-1/rules.d.
Polkit rules files are
      javascript with specific methods and objects. For example, placing the following polkit rule to
      /etc/polkit-1.rules.d/10-operators.rule allows all users in the
      operators group to start, stop, restart and otherwise manage systemd services:
polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.systemd1.manage-units") {
        if (subject.isInGroup("operators")) {
            return polkit.Result.YES;
        }
    }
});
In order to allow a certain group to perform any administrative action you could add a rule like this:
polkit.addAdminRule(function(action, subject) {
    return ["unix-group:operators"];
});