cockpit-project · martinpitt · May 8, 2024 · May 3, 2024 · May 7, 2024 · May 7, 2024
diff --git a/src/systemd/Makefile.am b/src/systemd/Makefile.am
@@ -7,16 +7,17 @@ nodist_systemdunit_DATA = \
 	src/systemd/cockpit.socket \
 	src/systemd/cockpit-session@.service \
 	src/systemd/cockpit-wsinstance-http.service \
-	src/systemd/cockpit-wsinstance-http.socket \
 	src/systemd/cockpit-wsinstance-https-factory@.service \
-	src/systemd/cockpit-wsinstance-https-factory.socket \
 	src/systemd/cockpit-wsinstance-https@.service \
-	src/systemd/cockpit-wsinstance-https@.socket \
 	$(NULL)
 
 dist_systemdunit_DATA = \
 	src/systemd/cockpit-session.socket \
+	src/systemd/cockpit-ws-user.service \
 	src/systemd/system-cockpithttps.slice \
+	src/systemd/cockpit-wsinstance-http.socket \
+	src/systemd/cockpit-wsinstance-https-factory.socket \
+	src/systemd/cockpit-wsinstance-https@.socket \
 	$(NULL)
 
 motddir = $(datadir)/$(PACKAGE)/motd/

diff --git a/src/systemd/cockpit-ws-user.service b/src/systemd/cockpit-ws-user.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Dynamic user for cockpit-ws
+Documentation=man:cockpit-ws(8)
+BindsTo=cockpit.service
+
+[Service]
+DynamicUser=yes
+User=cockpit-ws
+Group=cockpit-ws
+Type=oneshot
+ExecStart=/bin/true
+RemainAfterExit=yes
diff --git a/src/systemd/cockpit-wsinstance-http.service.in b/src/systemd/cockpit-wsinstance-http.service.in
@@ -1,7 +1,7 @@
 [Unit]
 Description=Cockpit Web Service http instance
-BindsTo=cockpit.service
 Documentation=man:cockpit-ws(8)
+BindsTo=cockpit.service
 
 [Service]
 ExecStart=@libexecdir@/cockpit-ws --no-tls --port=0

diff --git a/...systemd/cockpit-wsinstance-http.socket.in → src/systemd/cockpit-wsinstance-http.socket b/...systemd/cockpit-wsinstance-http.socket.in → src/systemd/cockpit-wsinstance-http.socket
@@ -1,9 +1,13 @@
 [Unit]
 Description=Socket for Cockpit Web Service http instance
-BindsTo=cockpit.service
 Documentation=man:cockpit-ws(8)
+BindsTo=cockpit.service
+# ensure our DynamicUser exists
+Requires=cockpit-ws-user.service
+After=cockpit-ws-user.service
 
 [Socket]
 ListenStream=/run/cockpit/wsinstance/http.sock
 SocketUser=cockpit-ws
 SocketMode=0600
+RemoveOnStop=yes
diff --git a/...ockpit-wsinstance-https-factory.socket.in → ...d/cockpit-wsinstance-https-factory.socket b/...ockpit-wsinstance-https-factory.socket.in → ...d/cockpit-wsinstance-https-factory.socket
@@ -1,10 +1,14 @@
 [Unit]
 Description=Socket for Cockpit Web Service https instance factory
-BindsTo=cockpit.service
 Documentation=man:cockpit-ws(8)
+BindsTo=cockpit.service
+# ensure our DynamicUser exists
+Requires=cockpit-ws-user.service
+After=cockpit-ws-user.service
 
 [Socket]
 ListenStream=/run/cockpit/wsinstance/https-factory.sock
 Accept=yes
 SocketUser=cockpit-ws
 SocketMode=0600
+RemoveOnStop=yes
diff --git a/src/systemd/cockpit-wsinstance-https@.service.in b/src/systemd/cockpit-wsinstance-https@.service.in
@@ -1,7 +1,7 @@
 [Unit]
 Description=Cockpit Web Service https instance %I
-BindsTo=cockpit.service
 Documentation=man:cockpit-ws(8)
+BindsTo=cockpit.service
 
 [Service]
 Slice=system-cockpithttps.slice

diff --git a/...stemd/cockpit-wsinstance-https@.socket.in → src/systemd/cockpit-wsinstance-https@.socket b/...stemd/cockpit-wsinstance-https@.socket.in → src/systemd/cockpit-wsinstance-https@.socket
@@ -1,13 +1,17 @@
 [Unit]
 Description=Socket for Cockpit Web Service https instance %I
+Documentation=man:cockpit-ws(8)
 BindsTo=cockpit.service
 # clean up the socket after the service exits, to prevent fd leak
 # this also effectively prevents a DoS by starting arbitrarily many sockets, as
 # the services are resource-limited by system-cockpithttps.slice
 BindsTo=cockpit-wsinstance-https@%i.service
-Documentation=man:cockpit-ws(8)
+# ensure our DynamicUser exists
+Requires=cockpit-ws-user.service
+After=cockpit-ws-user.service
 
 [Socket]
 ListenStream=/run/cockpit/wsinstance/https@%i.sock
 SocketUser=cockpit-ws
 SocketMode=0600
+RemoveOnStop=yes
diff --git a/src/systemd/cockpit.service.in b/src/systemd/cockpit.service.in
@@ -3,6 +3,10 @@ Description=Cockpit Web Service
 Documentation=man:cockpit-ws(8)
 Requires=cockpit.socket
 Requires=cockpit-wsinstance-http.socket cockpit-wsinstance-https-factory.socket
+# ensure our DynamicUser exists
+Requires=cockpit-ws-user.service
+After=cockpit-ws-user.service
+# we need to start after the sockets so that we can instantly forward incoming requests
 After=cockpit-wsinstance-http.socket cockpit-wsinstance-https-factory.socket
 
 [Service]

diff --git a/test/verify/check-connection b/test/verify/check-connection
@@ -223,6 +223,11 @@ class TestConnection(testlib.MachineCase):
                 out = m.execute(f"systemctl --no-legend -t {_type} list-units cockpit-wsinstance-https@*")
                 count = len(out.strip().splitlines())
                 self.assertEqual(count, https_instances, out)
+            # instance sockets get cleaned up when stopping cockpit.socket or the instances
+            if not ws_socket or not instance_sockets:
+                self.assertEqual(
+                    m.execute("test ! -e /run/cockpit/wsinstance/ || ls /run/cockpit/wsinstance/").strip(),
+                    "")
 
         # at the beginning, no cockpit related units are running
         m.execute("systemctl reset-failed")
@@ -257,6 +262,13 @@ class TestConnection(testlib.MachineCase):
         self.assertIn("HTTP/1.1 200 OK", m.execute("curl --silent --head http://127.0.0.1:9090"))
         expect_actives(ws_socket=True, instance_sockets=True, http_instances=["http"])
 
+        # cleans up instances when killing the DynamicUser helper unit
+        m.start_cockpit(tls=False)
+        self.assertIn("HTTP/1.1 200 OK", m.execute("curl --silent --head http://127.0.0.1:9090"))
+        expect_actives(ws_socket=True, instance_sockets=True, http_instances=["http"])
+        m.execute("systemctl stop cockpit-ws-user.service")
+        expect_actives(ws_socket=True, instance_sockets=False, http_instances=[])
+
         # https mode
 
         m.start_cockpit(tls=True)
@@ -423,7 +435,6 @@ class TestConnection(testlib.MachineCase):
         if not m.ostree_image:
             m.execute("""cat /etc/cockpit/ws-certs.d/cert-chain.key >> /etc/cockpit/ws-certs.d/cert-chain.crt
                          chmod 640 /etc/cockpit/ws-certs.d/cert-chain.crt
-                         chown root:cockpit-ws /etc/cockpit/ws-certs.d/cert-chain.crt
                          rm /etc/cockpit/ws-certs.d/cert-chain.key""")
             check_cert_chain()
 

diff --git a/tools/arch/PKGBUILD b/tools/arch/PKGBUILD
@@ -16,11 +16,9 @@ makedepends=(krb5 libssh accountsservice json-glib glib-networking
              python-build python-installer python-wheel)
 source=("cockpit-${pkgver}.tar.xz"
         "cockpit.pam"
-        "cockpit-ws.sysuser.conf"
         "cockpit-wsinstance.sysuser.conf")
 sha256sums=('SKIP'
             '079bb6751214e642673f9e1212df2a17fed1a3cc6cfdd6375af2b68ed6ddd340'
-            '1ad9dad75858264778bd94799b60c651f7cc1c7f7fa1c54622174303e639287a'
             '46ee8ecad7bc97ba588ab9471dde76e41c00daf40658902425626c3a1938b438')
 
 prepare() {
@@ -61,7 +59,6 @@ package_cockpit() {
   make DESTDIR="$pkgdir" install
   rm -rf "$pkgdir"/usr/{src,lib/firewalld}
   install -Dm644 "$srcdir"/cockpit.pam "$pkgdir"/etc/pam.d/cockpit
-  install -Dm644 "$srcdir"/cockpit-ws.sysuser.conf "$pkgdir"/usr/lib/sysusers.d/cockpit-ws.conf
   install -Dm644 "$srcdir"/cockpit-wsinstance.sysuser.conf "$pkgdir"/usr/lib/sysusers.d/cockpit-wsinstance.conf
 
   echo "z /usr/lib/cockpit/cockpit-session - - cockpit-wsinstance -" >> "$pkgdir"/usr/lib/tmpfiles.d/cockpit-ws.conf

diff --git a/tools/arch/cockpit-ws.sysuser.conf b/tools/arch/cockpit-ws.sysuser.conf
diff --git a/tools/cockpit.spec b/tools/cockpit.spec
@@ -393,6 +393,7 @@ authentication via sssd/FreeIPA.
 %{_unitdir}/cockpit.service
 %{_unitdir}/cockpit-motd.service
 %{_unitdir}/cockpit.socket
+%{_unitdir}/cockpit-ws-user.service
 %{_unitdir}/cockpit-wsinstance-http.socket
 %{_unitdir}/cockpit-wsinstance-http.service
 %{_unitdir}/cockpit-wsinstance-https-factory.socket
@@ -419,8 +420,6 @@ authentication via sssd/FreeIPA.
 %ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
 
 %pre ws
-getent group cockpit-ws >/dev/null || groupadd -r cockpit-ws
-getent passwd cockpit-ws >/dev/null || useradd -r -g cockpit-ws -d /nonexisting -s /sbin/nologin -c "User for cockpit web service" cockpit-ws
 getent group cockpit-wsinstance >/dev/null || groupadd -r cockpit-wsinstance
 getent passwd cockpit-wsinstance >/dev/null || useradd -r -g cockpit-wsinstance -d /nonexisting -s /sbin/nologin -c "User for cockpit-ws instances" cockpit-wsinstance
 

diff --git a/tools/debian/cockpit-ws.install b/tools/debian/cockpit-ws.install
@@ -4,6 +4,7 @@ tools/apparmor.d/cockpit-desktop etc/apparmor.d/
 ${env:deb_systemdsystemunitdir}/cockpit.service
 ${env:deb_systemdsystemunitdir}/cockpit-motd.service
 ${env:deb_systemdsystemunitdir}/cockpit.socket
+${env:deb_systemdsystemunitdir}/cockpit-ws-user.service
 ${env:deb_systemdsystemunitdir}/cockpit-wsinstance-http.service
 ${env:deb_systemdsystemunitdir}/cockpit-wsinstance-http.socket
 ${env:deb_systemdsystemunitdir}/cockpit-wsinstance-https-factory@.service

diff --git a/tools/debian/cockpit-ws.postinst b/tools/debian/cockpit-ws.postinst
@@ -1,7 +1,6 @@
 #!/bin/sh
 set -e
 
-adduser --system --group --home /nonexistent --no-create-home --quiet cockpit-ws
 adduser --system --group --home /nonexistent --no-create-home --quiet cockpit-wsinstance
 
 # change group of cockpit-session on upgrades (changed in version 203)