Use systemd-sysusers to create users & groups

Add a templated sysusers config file and use it in the RPM spec to create users. Replace the current Arch Linux specific config files. Note that the (already resolved) cockpit-sysusers.conf file is needed for the RPM specfile as a source as the macro can not be expanded using the content from the source archive as it is not extracted during the stage where RPM macro expansion happens. We thus need to keep a copy in the dist-git repo. See: https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/#_dynamic_allocation
cockpit-project · Apr 24, 2024 · 925f5a1 · 925f5a1
1 parent 161b780
commit 925f5a1
Show file tree

Hide file tree

Showing 8 changed files with 18 additions and 8 deletions.
diff --git a/src/systemd/Makefile.am b/src/systemd/Makefile.am
@@ -33,6 +33,9 @@ install-exec-hook::
 tmpfilesconfdir = $(prefix)/lib/tmpfiles.d
 nodist_tmpfilesconf_DATA = src/systemd/cockpit-tmpfiles.conf
 
+sysusersconfdir = $(prefix)/lib/sysusers.d
+nodist_sysusersconf_DATA = src/systemd/cockpit-sysusers.conf
+
 # we can't generate these with config.status because,
 # eg. it does "@libexecdir@" -> "${exec_prefix}/libexec"
 src/systemd/%: src/systemd/%.in
@@ -43,13 +46,16 @@ src/systemd/%: src/systemd/%.in
 	-e 's,[@]group[@],$(COCKPIT_GROUP),g' \
 	-e 's,[@]libexecdir[@],$(libexecdir),g' \
 	-e 's,[@]user[@],$(COCKPIT_USER),g' \
+	-e 's,[@]cockpitgroup[@],$(COCKPIT_GROUP),g' \
+	-e 's,[@]cockpituser[@],$(COCKPIT_USER),g' \
 	-e 's,[@]wsinstancegroup[@],$(COCKPIT_WSINSTANCE_GROUP),g' \
 	-e 's,[@]wsinstanceuser[@],$(COCKPIT_WSINSTANCE_USER),g' \
 	$< > $@.tmp && mv -f $@.tmp $@
 
 systemdgenerated = \
 	$(nodist_systemdunit_DATA) \
 	$(nodist_tmpfilesconf_DATA) \
+	$(nodist_sysusersconf_DATA) \
 	$(NULL)
 systemdgenerated_in = $(patsubst %,%.in,$(systemdgenerated))
 

diff --git a/src/systemd/cockpit-sysusers.conf.in b/src/systemd/cockpit-sysusers.conf.in
@@ -0,0 +1,4 @@
+u @cockpituser@ - "User for cockpit web service" -
+g @cockpitgroup@
+u @wsinstanceuser@ - "User for cockpit-ws instances" -
+g @wsinstancegroup@ - -
diff --git a/tools/arch/PKGBUILD b/tools/arch/PKGBUILD
@@ -63,8 +63,6 @@ package_cockpit() {
   make DESTDIR="$pkgdir" install
   rm -rf "$pkgdir"/usr/{src,lib/firewalld}
   install -Dm644 "$srcdir"/cockpit.pam "$pkgdir"/etc/pam.d/cockpit
-  install -Dm644 "$srcdir"/cockpit-ws.sysuser.conf "$pkgdir"/usr/lib/sysusers.d/cockpit-ws.conf
-  install -Dm644 "$srcdir"/cockpit-wsinstance.sysuser.conf "$pkgdir"/usr/lib/sysusers.d/cockpit-wsinstance.conf
 
   echo "z /usr/lib/cockpit/cockpit-session - - cockpit-wsinstance -" >> "$pkgdir"/usr/lib/tmpfiles.d/cockpit-tmpfiles.conf
 

diff --git a/tools/arch/cockpit-ws.sysuser.conf b/tools/arch/cockpit-ws.sysuser.conf
diff --git a/tools/arch/cockpit-wsinstance.sysuser.conf b/tools/arch/cockpit-wsinstance.sysuser.conf
diff --git a/tools/cockpit-sysusers.conf b/tools/cockpit-sysusers.conf
@@ -0,0 +1,2 @@
+u cockpit-ws - "User for cockpit web service" -
+u cockpit-wsinstance - "User for cockpit-ws instances" -
diff --git a/tools/cockpit.spec b/tools/cockpit.spec
@@ -52,6 +52,7 @@ URL:            https://cockpit-project.org/
 Version:        0
 Release:        1%{?dist}
 Source0:        https://github.com/cockpit-project/cockpit/releases/download/%{version}/cockpit-%{version}.tar.xz
+Source1:        cockpit-sysusers.conf
 
 # pcp stopped building on ix86
 %define build_pcp 1
@@ -114,6 +115,9 @@ BuildRequires: xmlto
 BuildRequires:  selinux-policy
 BuildRequires:  selinux-policy-devel
 
+BuildRequires:  systemd-rpm-macros
+%{?sysusers_requires_compat}
+
 # This is the "cockpit" metapackage. It should only
 # Require, Suggest or Recommend other cockpit-xxx subpackages
 
@@ -422,10 +426,7 @@ authentication via sssd/FreeIPA.
 %ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
 
 %pre ws
-getent group cockpit-ws >/dev/null || groupadd -r cockpit-ws
-getent passwd cockpit-ws >/dev/null || useradd -r -g cockpit-ws -d /nonexisting -s /sbin/nologin -c "User for cockpit web service" cockpit-ws
-getent group cockpit-wsinstance >/dev/null || groupadd -r cockpit-wsinstance
-getent passwd cockpit-wsinstance >/dev/null || useradd -r -g cockpit-wsinstance -d /nonexisting -s /sbin/nologin -c "User for cockpit-ws instances" cockpit-wsinstance
+%sysusers_create_compat %{SOURCE1}
 
 if %{_sbindir}/selinuxenabled 2>/dev/null; then
     %selinux_relabel_pre -s %{selinuxtype}

diff --git a/tools/debian/cockpit-ws.install b/tools/debian/cockpit-ws.install
@@ -14,6 +14,7 @@ ${env:deb_systemdsystemunitdir}/system-cockpithttps.slice
 ${env:deb_pamlibdir}/security/pam_ssh_add.so
 ${env:deb_pamlibdir}/security/pam_cockpit_cert.so
 usr/lib/tmpfiles.d/cockpit-tmpfiles.conf
+usr/lib/sysusers.d/cockpit-sysusers.conf
 usr/lib/cockpit/cockpit-session
 usr/lib/cockpit/cockpit-ws
 usr/lib/cockpit/cockpit-wsinstance-factory