Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

systemd: Use systemd-sysusers to create cockpit-wsinstance user #20365

Closed
wants to merge 6 commits into from
Closed

systemd: Use systemd-sysusers to create cockpit-wsinstance user #20365

wants to merge 6 commits into from

Commits on May 3, 2024

  1. test: Drop obsolete chowning of ws certificate 

    Not necessary any more since commit 644116a.
    @martinpitt
    martinpitt committed May 3, 2024
    Configuration menu
    Copy the full SHA
    a708d85 View commit details
    Browse the repository at this point in the history

  2. tools: Use DynamicUser for cockpit.service 

    Since commit 644116a, the webserver certificates don't have to
be owned by the cockpit-ws user/group any more. This allows us to use
`DynamicUser` for cockpit.service, which eliminates the persistent
`cockpit-ws` system user.

Note that we can't yet eliminate `cockpit-wsinstance` as that's the
owner of our `cockpit-session` suid root binary.
    @martinpitt
    martinpitt committed May 3, 2024
    Configuration menu
    Copy the full SHA
    a639abb View commit details
    Browse the repository at this point in the history

  3. tools: Remove cockpit-session statoverride on purging Debian package 

    Let's clean up properly.
    @martinpitt
    martinpitt committed May 3, 2024
    Configuration menu
    Copy the full SHA
    4ca16b4 View commit details
    Browse the repository at this point in the history

  4. tools: Drop obsolete permission upgrade in Debian package 

    Even oldoldstable and the last two Ubuntu LTSes have never versions,
this isn't necessary any more.
    @martinpitt
    martinpitt committed May 3, 2024
    Configuration menu
    Copy the full SHA
    9b230e0 View commit details
    Browse the repository at this point in the history

  5. systemd: Use systemd-sysusers to create cockpit-wsinstance user 

    Add a sysusers config file for our remaining system user.

Arch was already using sysusers, replace the packaging specific one with
the upstream one.

For Debian, run dh_installsysusers (compat level 14 will do that
automatically in the future).

RPM 4.19 has native support for sysusers in principle [1], but it's not
currently enabled/working [2]. Fedora rather wants packages to do an
overcomplicated process which keeps a downstream copy of the sysusers
file in the packaging dist-git [3], which is error prone and ugly to
automate.

So keep the tried-and-tested current approach of creating the user
directly in the spec's `%pre` script for the time being (which is
necessary anyway for CentOS/RHEL 9).

[1] https://rpm-software-management.github.io/rpm/manual/users_and_groups.html
[2] rpm-software-management/rpm#3073
[3] https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/#_dynamic_allocation
    @travier @martinpitt
    travier authored and martinpitt committed May 3, 2024
    Configuration menu
    Copy the full SHA
    81cbd0e View commit details
    Browse the repository at this point in the history

  6. FIXUP: Use tmpfiles.d everywhere to set up cockpit-session 

    This upstreams the Arch approach, and provides a sensible setup with an
upstream `make install`.
    @martinpitt
    martinpitt committed May 3, 2024
    Configuration menu
    Copy the full SHA
    90b968f View commit details
    Browse the repository at this point in the history