cockpit-project · travier · May 3, 2024 · May 3, 2024 · May 2, 2024 · May 3, 2024
diff --git a/src/systemd/Makefile.am b/src/systemd/Makefile.am
@@ -33,6 +33,9 @@ install-exec-hook::
 tmpfilesconfdir = $(prefix)/lib/tmpfiles.d
 nodist_tmpfilesconf_DATA = src/systemd/tmpfiles.d/cockpit-ws.conf
 
+sysusersconfdir = $(prefix)/lib/sysusers.d
+dist_sysusersconf_DATA = src/systemd/sysusers.d/cockpit-ws.conf
+
 # we can't generate these with config.status because,
 # eg. it does "@libexecdir@" -> "${exec_prefix}/libexec"
 src/systemd/%: src/systemd/%.in

diff --git a/src/systemd/cockpit.service.in b/src/systemd/cockpit.service.in
@@ -3,14 +3,16 @@ Description=Cockpit Web Service
 Documentation=man:cockpit-ws(8)
 Requires=cockpit.socket
 Requires=cockpit-wsinstance-http.socket cockpit-wsinstance-https-factory.socket
-After=cockpit-wsinstance-http.socket cockpit-wsinstance-https-factory.socket
+# we need to start before the sockets so that the dynamic user exists
+Before=cockpit-wsinstance-http.socket cockpit-wsinstance-https-factory.socket
 
 [Service]
 RuntimeDirectory=cockpit/tls
 # systemd ≥ 241 sets this automatically
 Environment=RUNTIME_DIRECTORY=/run/cockpit/tls
 ExecStartPre=+@libexecdir@/cockpit-certificate-ensure --for-cockpit-tls
 ExecStart=@libexecdir@/cockpit-tls
+DynamicUser=true
 User=cockpit-ws
 Group=cockpit-ws
 NoNewPrivileges=true

diff --git a/src/systemd/sysusers.d/cockpit-ws.conf b/src/systemd/sysusers.d/cockpit-ws.conf
@@ -0,0 +1 @@
+u cockpit-wsinstance - "User for cockpit-ws instances" -
diff --git a/src/systemd/tmpfiles.d/cockpit-ws.conf.in b/src/systemd/tmpfiles.d/cockpit-ws.conf.in
@@ -1,3 +1,4 @@
+z @libexecdir@/cockpit-session - - cockpit-wsinstance -
 C /run/cockpit/inactive.motd 0640 root @admin_group@ - @datadir@/@PACKAGE@/motd/inactive.motd
 f /run/cockpit/active.motd   0640 root @admin_group@ -
 L+ /run/cockpit/motd - - - - inactive.motd
diff --git a/test/verify/check-connection b/test/verify/check-connection
@@ -423,7 +423,6 @@ class TestConnection(testlib.MachineCase):
         if not m.ostree_image:
             m.execute("""cat /etc/cockpit/ws-certs.d/cert-chain.key >> /etc/cockpit/ws-certs.d/cert-chain.crt
                          chmod 640 /etc/cockpit/ws-certs.d/cert-chain.crt
-                         chown root:cockpit-ws /etc/cockpit/ws-certs.d/cert-chain.crt
                          rm /etc/cockpit/ws-certs.d/cert-chain.key""")
             check_cert_chain()
 

diff --git a/tools/arch/PKGBUILD b/tools/arch/PKGBUILD
@@ -15,13 +15,9 @@ makedepends=(krb5 libssh accountsservice json-glib glib-networking
              git intltool gtk-doc gobject-introspection networkmanager xmlto npm pcp
              python-build python-installer python-wheel)
 source=("cockpit-${pkgver}.tar.xz"
-        "cockpit.pam"
-        "cockpit-ws.sysuser.conf"
-        "cockpit-wsinstance.sysuser.conf")
+        "cockpit.pam")
 sha256sums=('SKIP'
-            '079bb6751214e642673f9e1212df2a17fed1a3cc6cfdd6375af2b68ed6ddd340'
-            '1ad9dad75858264778bd94799b60c651f7cc1c7f7fa1c54622174303e639287a'
-            '46ee8ecad7bc97ba588ab9471dde76e41c00daf40658902425626c3a1938b438')
+            '079bb6751214e642673f9e1212df2a17fed1a3cc6cfdd6375af2b68ed6ddd340')
 
 prepare() {
   cd cockpit-$pkgver
@@ -61,10 +57,6 @@ package_cockpit() {
   make DESTDIR="$pkgdir" install
   rm -rf "$pkgdir"/usr/{src,lib/firewalld}
   install -Dm644 "$srcdir"/cockpit.pam "$pkgdir"/etc/pam.d/cockpit
-  install -Dm644 "$srcdir"/cockpit-ws.sysuser.conf "$pkgdir"/usr/lib/sysusers.d/cockpit-ws.conf
-  install -Dm644 "$srcdir"/cockpit-wsinstance.sysuser.conf "$pkgdir"/usr/lib/sysusers.d/cockpit-wsinstance.conf
-
-  echo "z /usr/lib/cockpit/cockpit-session - - cockpit-wsinstance -" >> "$pkgdir"/usr/lib/tmpfiles.d/cockpit-ws.conf
 
   # remove unused plugins
   rm -rf "$pkgdir"/usr/share/cockpit/{selinux,playground,sosreport} \

diff --git a/tools/arch/cockpit-ws.sysuser.conf b/tools/arch/cockpit-ws.sysuser.conf
diff --git a/tools/arch/cockpit-wsinstance.sysuser.conf b/tools/arch/cockpit-wsinstance.sysuser.conf
diff --git a/tools/cockpit.spec b/tools/cockpit.spec
@@ -401,6 +401,7 @@ authentication via sssd/FreeIPA.
 %{_unitdir}/cockpit-wsinstance-https@.service
 %{_unitdir}/system-cockpithttps.slice
 %{_prefix}/%{__lib}/tmpfiles.d/cockpit-ws.conf
+%{_sysusersdir}/cockpit-ws.conf
 %{pamdir}/pam_ssh_add.so
 %{pamdir}/pam_cockpit_cert.so
 %{_libexecdir}/cockpit-ws
@@ -419,11 +420,6 @@ authentication via sssd/FreeIPA.
 %ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
 
 %pre ws
-getent group cockpit-ws >/dev/null || groupadd -r cockpit-ws
-getent passwd cockpit-ws >/dev/null || useradd -r -g cockpit-ws -d /nonexisting -s /sbin/nologin -c "User for cockpit web service" cockpit-ws
-getent group cockpit-wsinstance >/dev/null || groupadd -r cockpit-wsinstance
-getent passwd cockpit-wsinstance >/dev/null || useradd -r -g cockpit-wsinstance -d /nonexisting -s /sbin/nologin -c "User for cockpit-ws instances" cockpit-wsinstance
-
 if %{_sbindir}/selinuxenabled 2>/dev/null; then
     %selinux_relabel_pre -s %{selinuxtype}
 fi

diff --git a/tools/debian/cockpit-ws.install b/tools/debian/cockpit-ws.install
@@ -14,6 +14,7 @@ ${env:deb_systemdsystemunitdir}/system-cockpithttps.slice
 ${env:deb_pamlibdir}/security/pam_ssh_add.so
 ${env:deb_pamlibdir}/security/pam_cockpit_cert.so
 usr/lib/tmpfiles.d/cockpit-ws.conf
+usr/lib/sysusers.d/cockpit-ws.conf
 usr/lib/cockpit/cockpit-session
 usr/lib/cockpit/cockpit-ws
 usr/lib/cockpit/cockpit-wsinstance-factory

diff --git a/tools/debian/cockpit-ws.postinst b/tools/debian/cockpit-ws.postinst
@@ -1,21 +1,12 @@
 #!/bin/sh
 set -e
 
-adduser --system --group --home /nonexistent --no-create-home --quiet cockpit-ws
-adduser --system --group --home /nonexistent --no-create-home --quiet cockpit-wsinstance
-
-# change group of cockpit-session on upgrades (changed in version 203)
-if OUT=$(dpkg-statoverride --list /usr/lib/cockpit/cockpit-session) && [ "$OUT#root cockpit-ws 4750}" != "$OUT" ]; then
-    echo "Adjusting /usr/lib/cockpit/cockpit-session permissions..."
-    dpkg-statoverride --remove /usr/lib/cockpit/cockpit-session
-fi
+#DEBHELPER#
 
 if ! dpkg-statoverride --list /usr/lib/cockpit/cockpit-session >/dev/null; then
     dpkg-statoverride --update --add root cockpit-wsinstance 4750 /usr/lib/cockpit/cockpit-session
 fi
 
-#DEBHELPER#
-
 # restart cockpit.service on package upgrades, if it's already running
 if [ -d /run/systemd/system ] && [ -n "$2" ]; then
     deb-systemd-invoke try-restart cockpit.service >/dev/null || true

diff --git a/tools/debian/cockpit-ws.postrm b/tools/debian/cockpit-ws.postrm
@@ -8,4 +8,6 @@ if [ "$1" = purge ]; then
     [ -L /etc/motd.d/cockpit ] && rm /etc/motd.d/cockpit || true
     [ -L /etc/issue.d/cockpit.issue ] && rm /etc/issue.d/cockpit.issue || true
     rm -f /etc/cockpit/disallowed-users
+
+    dpkg-statoverride --remove /usr/lib/cockpit/cockpit-session
 fi
diff --git a/tools/debian/rules b/tools/debian/rules
@@ -67,3 +67,7 @@ else
 	pytest -vv -k 'not linter and not test_descriptions' -opythonpath=$$(ls -d debian/cockpit-bridge/usr/lib/python3*/dist-packages)
 endif
 endif
+
+# dh compat 14 does that automatically, remove when upgrading
+execute_before_dh_installtmpfiles:
+	dh_installsysusers