cockpit/cockpit
SHA256
3
0
Fork 6
forked from pool/cockpit
Code Issues Pull Requests Activity

Dynamic users are completely different on this version of cockpit

Browse Source 
We need to do various changes to get these fixed since we don't
ship systemd in nsswitch.conf
This commit is contained in:
Alice Brooks 2025-01-30 11:33:11 +00:00
parent 3731b3ac8f
commit 49b4cd327d
Signed by untrusted user: abrooks
GPG Key ID: 121CE3F61469DBDB
2 changed files with 64 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
0007-Remove-DynamicUser-setting-as-these-conflict-with-re.patch Normal file
View File

@ -0,0 +1,57 @@
From 730d204ff5a1f0382c3edffe51ce62c890cf86f2 Mon Sep 17 00:00:00 2001
From: Alice Brooks <alice.brooks@suse.com>
Date: Thu, 30 Jan 2025 10:45:46 +0000
Subject: [PATCH 1/1] Remove DynamicUser setting as these conflict with real
users
Real users are having to be created due to Leap15.6's nsswitch not
containing systemd, so dynamic users cannot be resolved inter
service due to this we must manually create the users postinstall
---
src/systemd/cockpit-wsinstance-http.service.in | 2 +-
src/systemd/cockpit-wsinstance-https@.service.in | 2 +-
src/systemd/cockpit.service.in | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/systemd/cockpit-wsinstance-http.service.in b/src/systemd/cockpit-wsinstance-http.service.in
index 539b90345..17ab21df1 100644
--- a/src/systemd/cockpit-wsinstance-http.service.in
+++ b/src/systemd/cockpit-wsinstance-http.service.in
@@ -7,7 +7,7 @@ After=cockpit-session.socket
[Service]
ExecStart=@libexecdir@/cockpit-ws --no-tls --port=0
-DynamicUser=yes
+DynamicUser=no
Group=cockpit-session-socket
PrivateDevices=yes
diff --git a/src/systemd/cockpit-wsinstance-https@.service.in b/src/systemd/cockpit-wsinstance-https@.service.in
index f66c9f874..db53247c0 100644
--- a/src/systemd/cockpit-wsinstance-https@.service.in
+++ b/src/systemd/cockpit-wsinstance-https@.service.in
@@ -8,7 +8,7 @@ After=cockpit-session.socket
[Service]
Slice=system-cockpithttps.slice
ExecStart=@libexecdir@/cockpit-ws --for-tls-proxy --port=0
-DynamicUser=yes
+DynamicUser=no
Group=cockpit-session-socket
PrivateDevices=yes
diff --git a/src/systemd/cockpit.service.in b/src/systemd/cockpit.service.in
index 97adda221..ec50118aa 100644
--- a/src/systemd/cockpit.service.in
+++ b/src/systemd/cockpit.service.in
@@ -10,7 +10,7 @@ After=cockpit-wsinstance-http.socket cockpit-wsinstance-https-factory.socket
RuntimeDirectory=cockpit/tls
ExecStartPre=+@libexecdir@/cockpit-certificate-ensure --for-cockpit-tls
ExecStart=@libexecdir@/cockpit-tls
-DynamicUser=yes
+DynamicUser=no
# otherwise systemd uses 'cockpit' even if it exists as a normal user account
User=cockpit-systemd-service
Group=cockpit-wsinstance-socket
--
2.48.1

9
cockpit.spec
View File

@ -69,6 +69,7 @@ Patch5: storage-btrfs.patch
Patch101: hide-pcp.patch
Patch102: 0002-selinux-temporary-remove-setroubleshoot-section.patch
Patch107: 0006-totp-motd.patch
Patch108: 0007-Remove-DynamicUser-setting-as-these-conflict-with-re.patch
# For anything based on SLES 15 codebase (including Leap, SLE Micro)
Patch103: 0004-leap-gnu18-removal.patch
Patch104: selinux_libdir.patch
@ -230,6 +231,7 @@ BuildRequires: python3-tox-current-env
%patch -P 104 -p1
%patch -P 105 -p1
%patch -P 106 -p1
%patch -P 108 -p1
%endif
%patch -P 201 -p1
@ -638,8 +640,11 @@ authentication via sssd/FreeIPA.
%pre ws
# HACK: old RPM and even Fedora's current RPM don't properly support sysusers
# https://github.com/rpm-software-management/rpm/issues/3073
getent group cockpit-wsinstance >/dev/null || groupadd -r cockpit-wsinstance
getent passwd cockpit-wsinstance >/dev/null || useradd -r -g cockpit-wsinstance -d /nonexisting -s /sbin/nologin -c "User for cockpit-ws instances" cockpit-wsinstance
getent group cockpit-wsinstance-socket >/dev/null || groupadd -r cockpit-wsinstance-socket
getent group cockpit-session-socket >/dev/null || groupadd -r cockpit-session-socket
getent passwd cockpit-wsinstance-socket >/dev/null || useradd -r -g cockpit-wsinstance-socket -d /nonexisting -s /sbin/nologin -c "User for cockpit-ws instances" cockpit-wsinstance-socket
getent passwd cockpit-session-socket >/dev/null || useradd -r -g cockpit-session-socket -d /nonexisting -s /sbin/nologin -c "User for cockpit-session instances" cockpit-session-socket
getent passwd cockpit-systemd-service >/dev/null || useradd -r -g cockpit-wsinstance-socket -d /nonexisting -s /sbin/nologin -c "User for cockpit.service" cockpit-systemd-service
if %{_sbindir}/selinuxenabled 2>/dev/null; then
%selinux_relabel_pre -s %{selinuxtype}