forked from pool/cockpit
Fix: Update patch 108 and only apply on leap 15
Patch 108(0007-Remove-DynamicUser-setting-as-these-conflict-with-re.patch) sets DynamicUser to no,This should have also set PrivateTmp and ProtectHome to yes. This patch should have also only been applied on Leap 15 as tumbleweed does have dynamic users. See https://github.com/cockpit-project/bots/issues/7699 for motivation
This commit is contained in:
1
.gitignore
vendored
1
.gitignore
vendored
@@ -1,2 +1,3 @@
|
||||
.osc
|
||||
node_modules.sums
|
||||
_build*
|
||||
@@ -1,57 +1,64 @@
|
||||
From 730d204ff5a1f0382c3edffe51ce62c890cf86f2 Mon Sep 17 00:00:00 2001
|
||||
From 3f0d624c5af89fc9ebe81d92351d8ac8e7583997 Mon Sep 17 00:00:00 2001
|
||||
From: Alice Brooks <alice.brooks@suse.com>
|
||||
Date: Thu, 30 Jan 2025 10:45:46 +0000
|
||||
Subject: [PATCH 1/1] Remove DynamicUser setting as these conflict with real
|
||||
users
|
||||
Date: Mon, 28 Apr 2025 12:40:31 +0530
|
||||
Subject: [PATCH] Remove DynamicUser setting as these conflict with real users
|
||||
|
||||
Real users are having to be created due to Leap15.6's nsswitch not
|
||||
containing systemd, so dynamic users cannot be resolved inter
|
||||
service due to this we must manually create the users postinstall
|
||||
|
||||
Co-authored-by: Luna D Dragon <luna.dragon@suse.com>
|
||||
---
|
||||
src/systemd/cockpit-wsinstance-http.service.in | 2 +-
|
||||
src/systemd/cockpit-wsinstance-https@.service.in | 2 +-
|
||||
src/systemd/cockpit.service.in | 2 +-
|
||||
3 files changed, 3 insertions(+), 3 deletions(-)
|
||||
src/systemd/cockpit-wsinstance-http.service.in | 4 +++-
|
||||
src/systemd/cockpit-wsinstance-https@.service.in | 4 +++-
|
||||
src/systemd/cockpit.service.in | 4 +++-
|
||||
3 files changed, 9 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/systemd/cockpit-wsinstance-http.service.in b/src/systemd/cockpit-wsinstance-http.service.in
|
||||
index 539b90345..17ab21df1 100644
|
||||
index 539b90345..dfc9f3b1b 100644
|
||||
--- a/src/systemd/cockpit-wsinstance-http.service.in
|
||||
+++ b/src/systemd/cockpit-wsinstance-http.service.in
|
||||
@@ -7,7 +7,7 @@ After=cockpit-session.socket
|
||||
@@ -7,7 +7,9 @@ After=cockpit-session.socket
|
||||
|
||||
[Service]
|
||||
ExecStart=@libexecdir@/cockpit-ws --no-tls --port=0
|
||||
-DynamicUser=yes
|
||||
+DynamicUser=no
|
||||
+PrivateTmp=yes
|
||||
+ProtectHome=yes
|
||||
Group=cockpit-session-socket
|
||||
|
||||
PrivateDevices=yes
|
||||
diff --git a/src/systemd/cockpit-wsinstance-https@.service.in b/src/systemd/cockpit-wsinstance-https@.service.in
|
||||
index f66c9f874..db53247c0 100644
|
||||
index f66c9f874..3c07bb9a7 100644
|
||||
--- a/src/systemd/cockpit-wsinstance-https@.service.in
|
||||
+++ b/src/systemd/cockpit-wsinstance-https@.service.in
|
||||
@@ -8,7 +8,7 @@ After=cockpit-session.socket
|
||||
@@ -8,7 +8,9 @@ After=cockpit-session.socket
|
||||
[Service]
|
||||
Slice=system-cockpithttps.slice
|
||||
ExecStart=@libexecdir@/cockpit-ws --for-tls-proxy --port=0
|
||||
-DynamicUser=yes
|
||||
+DynamicUser=no
|
||||
+PrivateTmp=yes
|
||||
+ProtectHome=yes
|
||||
Group=cockpit-session-socket
|
||||
|
||||
PrivateDevices=yes
|
||||
diff --git a/src/systemd/cockpit.service.in b/src/systemd/cockpit.service.in
|
||||
index 97adda221..ec50118aa 100644
|
||||
index 97adda221..4b496fd3a 100644
|
||||
--- a/src/systemd/cockpit.service.in
|
||||
+++ b/src/systemd/cockpit.service.in
|
||||
@@ -10,7 +10,7 @@ After=cockpit-wsinstance-http.socket cockpit-wsinstance-https-factory.socket
|
||||
@@ -10,7 +10,9 @@ After=cockpit-wsinstance-http.socket cockpit-wsinstance-https-factory.socket
|
||||
RuntimeDirectory=cockpit/tls
|
||||
ExecStartPre=+@libexecdir@/cockpit-certificate-ensure --for-cockpit-tls
|
||||
ExecStart=@libexecdir@/cockpit-tls
|
||||
-DynamicUser=yes
|
||||
+DynamicUser=no
|
||||
+PrivateTmp=yes
|
||||
+ProtectHome=yes
|
||||
# otherwise systemd uses 'cockpit' even if it exists as a normal user account
|
||||
User=cockpit-systemd-service
|
||||
Group=cockpit-wsinstance-socket
|
||||
--
|
||||
2.48.1
|
||||
2.49.0
|
||||
|
||||
|
||||
@@ -1,3 +1,11 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Apr 28 07:43:52 UTC 2025 - Luna D Dragon <luna.dragon@suse.com>
|
||||
|
||||
- Update 0007-Remove-DynamicUser-setting-as-these-conflict-with-re.patch
|
||||
Update the patch to set ProtectHome and PrivateTmp to yes as it is implied
|
||||
when DynamicUser is enabled. The patch is also now only applied on leap 15
|
||||
where it is relevant
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Apr 16 11:48:12 UTC 2025 - Alice Brooks <alice.brooks@suse.com>
|
||||
|
||||
|
||||
10
cockpit.spec
10
cockpit.spec
@@ -215,7 +215,6 @@ BuildRequires: python3-pytest-timeout
|
||||
%patch -P 4 -p1
|
||||
%patch -P 5 -p1
|
||||
%patch -P 106 -p1
|
||||
%patch -P 108 -p1
|
||||
%patch -P 109 -p1
|
||||
|
||||
# SLE Micro specific patches
|
||||
@@ -232,6 +231,7 @@ BuildRequires: python3-pytest-timeout
|
||||
%patch -P 103 -p1
|
||||
%patch -P 104 -p1
|
||||
%patch -P 105 -p1
|
||||
%patch -P 108 -p1
|
||||
%else
|
||||
%patch -P 107 -p1
|
||||
%endif
|
||||
@@ -562,11 +562,13 @@ Requires: wallpaper-branding
|
||||
# for cockpit-desktop
|
||||
Suggests: python3
|
||||
Obsoletes: cockpit-tests < 331
|
||||
%if 0%{?suse_version} == 1500
|
||||
Provides: group(cockpit-wsinstance-socket)
|
||||
Provides: group(cockpit-session-socket)
|
||||
Provides: user(cockpit-wsinstance-socket)
|
||||
Provides: user(cockpit-session-socket)
|
||||
Provides: user(cockpit-systemd-service)
|
||||
%endif
|
||||
|
||||
# prevent hard python3 dependency for cockpit-desktop, it falls back to other browsers
|
||||
%global __requires_exclude_from ^%{_libexecdir}/cockpit-client$
|
||||
@@ -626,10 +628,15 @@ authentication via sssd/FreeIPA.
|
||||
%{_libexecdir}/cockpit-desktop
|
||||
%{_libexecdir}/cockpit-certificate-ensure
|
||||
%{_libexecdir}/cockpit-certificate-helper
|
||||
%if 0%{?suse_version} == 1500
|
||||
%{?suse_version:%verify(not mode) }%attr(4750, root, cockpit-wsinstance-socket) %{_libexecdir}/cockpit-session
|
||||
%else
|
||||
%{_libexecdir}/cockpit-session
|
||||
%endif
|
||||
%{_datadir}/cockpit/branding
|
||||
|
||||
%pre ws
|
||||
%if 0%{?suse_version} == 1500
|
||||
# HACK: old RPM and even Fedora's current RPM don't properly support sysusers
|
||||
# https://github.com/rpm-software-management/rpm/issues/3073
|
||||
getent group cockpit-wsinstance-socket >/dev/null || groupadd -r cockpit-wsinstance-socket
|
||||
@@ -637,6 +644,7 @@ getent group cockpit-session-socket >/dev/null || groupadd -r cockpit-session-so
|
||||
getent passwd cockpit-wsinstance-socket >/dev/null || useradd -r -g cockpit-wsinstance-socket -d /nonexisting -s /sbin/nologin -c "User for cockpit-ws instances" cockpit-wsinstance-socket
|
||||
getent passwd cockpit-session-socket >/dev/null || useradd -r -g cockpit-session-socket -d /nonexisting -s /sbin/nologin -c "User for cockpit-session instances" cockpit-session-socket
|
||||
getent passwd cockpit-systemd-service >/dev/null || useradd -r -g cockpit-wsinstance-socket -d /nonexisting -s /sbin/nologin -c "User for cockpit.service" cockpit-systemd-service
|
||||
%endif
|
||||
|
||||
%if 0%{?suse_version} > 1500
|
||||
# Prepare for migration to /usr/lib; save any old .rpmsave
|
||||
|
||||
Reference in New Issue
Block a user