tools: Use DynamicUser for cockpit.service

Since commit 644116a, the webserver certificates don't have to be owned by the cockpit-ws user/group any more. This allows us to use `DynamicUser` for cockpit.service, which eliminates the persistent `cockpit-ws` system user. Note that we can't yet eliminate `cockpit-wsinstance` as that's the owner of our `cockpit-session` suid root binary.
cockpit-project · May 7, 2024 · 0f45900 · 0f45900
1 parent dd62f0d
commit 0f45900
Show file tree

Hide file tree

Showing 5 changed files with 3 additions and 8 deletions.
diff --git a/src/systemd/cockpit.service.in b/src/systemd/cockpit.service.in
@@ -3,14 +3,16 @@ Description=Cockpit Web Service
 Documentation=man:cockpit-ws(8)
 Requires=cockpit.socket
 Requires=cockpit-wsinstance-http.socket cockpit-wsinstance-https-factory.socket
-After=cockpit-wsinstance-http.socket cockpit-wsinstance-https-factory.socket
+# we need to start before the sockets so that the dynamic user exists
+Before=cockpit-wsinstance-http.socket cockpit-wsinstance-https-factory.socket
 
 [Service]
 RuntimeDirectory=cockpit/tls
 # systemd ≥ 241 sets this automatically
 Environment=RUNTIME_DIRECTORY=/run/cockpit/tls
 ExecStartPre=+@libexecdir@/cockpit-certificate-ensure --for-cockpit-tls
 ExecStart=@libexecdir@/cockpit-tls
+DynamicUser=true
 User=cockpit-ws
 Group=cockpit-ws
 NoNewPrivileges=true

diff --git a/tools/arch/PKGBUILD b/tools/arch/PKGBUILD
@@ -16,11 +16,9 @@ makedepends=(krb5 libssh accountsservice json-glib glib-networking
              python-build python-installer python-wheel)
 source=("cockpit-${pkgver}.tar.xz"
         "cockpit.pam"
-        "cockpit-ws.sysuser.conf"
         "cockpit-wsinstance.sysuser.conf")
 sha256sums=('SKIP'
             '079bb6751214e642673f9e1212df2a17fed1a3cc6cfdd6375af2b68ed6ddd340'
-            '1ad9dad75858264778bd94799b60c651f7cc1c7f7fa1c54622174303e639287a'
             '46ee8ecad7bc97ba588ab9471dde76e41c00daf40658902425626c3a1938b438')
 
 prepare() {
@@ -61,7 +59,6 @@ package_cockpit() {
   make DESTDIR="$pkgdir" install
   rm -rf "$pkgdir"/usr/{src,lib/firewalld}
   install -Dm644 "$srcdir"/cockpit.pam "$pkgdir"/etc/pam.d/cockpit
-  install -Dm644 "$srcdir"/cockpit-ws.sysuser.conf "$pkgdir"/usr/lib/sysusers.d/cockpit-ws.conf
   install -Dm644 "$srcdir"/cockpit-wsinstance.sysuser.conf "$pkgdir"/usr/lib/sysusers.d/cockpit-wsinstance.conf
 
   echo "z /usr/lib/cockpit/cockpit-session - - cockpit-wsinstance -" >> "$pkgdir"/usr/lib/tmpfiles.d/cockpit-ws.conf

diff --git a/tools/arch/cockpit-ws.sysuser.conf b/tools/arch/cockpit-ws.sysuser.conf
diff --git a/tools/cockpit.spec b/tools/cockpit.spec
@@ -419,8 +419,6 @@ authentication via sssd/FreeIPA.
 %ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
 
 %pre ws
-getent group cockpit-ws >/dev/null || groupadd -r cockpit-ws
-getent passwd cockpit-ws >/dev/null || useradd -r -g cockpit-ws -d /nonexisting -s /sbin/nologin -c "User for cockpit web service" cockpit-ws
 getent group cockpit-wsinstance >/dev/null || groupadd -r cockpit-wsinstance
 getent passwd cockpit-wsinstance >/dev/null || useradd -r -g cockpit-wsinstance -d /nonexisting -s /sbin/nologin -c "User for cockpit-ws instances" cockpit-wsinstance
 

diff --git a/tools/debian/cockpit-ws.postinst b/tools/debian/cockpit-ws.postinst
@@ -1,7 +1,6 @@
 #!/bin/sh
 set -e
 
-adduser --system --group --home /nonexistent --no-create-home --quiet cockpit-ws
 adduser --system --group --home /nonexistent --no-create-home --quiet cockpit-wsinstance
 
 # change group of cockpit-session on upgrades (changed in version 203)