cockpit/0007-Remove-DynamicUser-setting-as-these-conflict-with-re.patch

From 3f0d624c5af89fc9ebe81d92351d8ac8e7583997 Mon Sep 17 00:00:00 2001
From: Alice Brooks <alice.brooks@suse.com>
Date: Mon, 28 Apr 2025 12:40:31 +0530
Subject: [PATCH] Remove DynamicUser setting as these conflict with real users

Real users are having to be created due to Leap15.6's nsswitch not
containing systemd, so dynamic users cannot be resolved inter
service due to this we must manually create the users postinstall

Co-authored-by: Luna D Dragon <luna.dragon@suse.com>
---
 src/systemd/cockpit-wsinstance-http.service.in   | 4 +++-
 src/systemd/cockpit-wsinstance-https@.service.in | 4 +++-
 src/systemd/cockpit.service.in                   | 4 +++-
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/systemd/cockpit-wsinstance-http.service.in b/src/systemd/cockpit-wsinstance-http.service.in
index 539b90345..dfc9f3b1b 100644
--- a/src/systemd/cockpit-wsinstance-http.service.in
+++ b/src/systemd/cockpit-wsinstance-http.service.in
@@ -7,7 +7,9 @@ After=cockpit-session.socket
 
 [Service]
 ExecStart=@libexecdir@/cockpit-ws --no-tls --port=0
-DynamicUser=yes
+DynamicUser=no
+PrivateTmp=yes
+ProtectHome=yes
 Group=cockpit-session-socket
 
 PrivateDevices=yes
diff --git a/src/systemd/cockpit-wsinstance-https@.service.in b/src/systemd/cockpit-wsinstance-https@.service.in
index f66c9f874..3c07bb9a7 100644
--- a/src/systemd/cockpit-wsinstance-https@.service.in
+++ b/src/systemd/cockpit-wsinstance-https@.service.in
@@ -8,7 +8,9 @@ After=cockpit-session.socket
 [Service]
 Slice=system-cockpithttps.slice
 ExecStart=@libexecdir@/cockpit-ws --for-tls-proxy --port=0
-DynamicUser=yes
+DynamicUser=no
+PrivateTmp=yes
+ProtectHome=yes
 Group=cockpit-session-socket
 
 PrivateDevices=yes
diff --git a/src/systemd/cockpit.service.in b/src/systemd/cockpit.service.in
index 97adda221..4b496fd3a 100644
--- a/src/systemd/cockpit.service.in
+++ b/src/systemd/cockpit.service.in
@@ -10,7 +10,9 @@ After=cockpit-wsinstance-http.socket cockpit-wsinstance-https-factory.socket
 RuntimeDirectory=cockpit/tls
 ExecStartPre=+@libexecdir@/cockpit-certificate-ensure --for-cockpit-tls
 ExecStart=@libexecdir@/cockpit-tls
-DynamicUser=yes
+DynamicUser=no
+PrivateTmp=yes
+ProtectHome=yes
 # otherwise systemd uses 'cockpit' even if it exists as a normal user account
 User=cockpit-systemd-service
 Group=cockpit-wsinstance-socket
-- 
2.49.0
Fix: Update patch 108 and only apply on leap 15 Patch 108(0007-Remove-DynamicUser-setting-as-these-conflict-with-re.patch) sets DynamicUser to no,This should have also set PrivateTmp and ProtectHome to yes. This patch should have also only been applied on Leap 15 as tumbleweed does have dynamic users. See https://github.com/cockpit-project/bots/issues/7699 for motivation 2025-04-29 12:54:06 +05:30			`From 3f0d624c5af89fc9ebe81d92351d8ac8e7583997 Mon Sep 17 00:00:00 2001`
Dynamic users are completely different on this version of cockpit We need to do various changes to get these fixed since we don't ship systemd in nsswitch.conf 2025-01-30 11:33:11 +00:00			`From: Alice Brooks <alice.brooks@suse.com>`
Fix: Update patch 108 and only apply on leap 15 Patch 108(0007-Remove-DynamicUser-setting-as-these-conflict-with-re.patch) sets DynamicUser to no,This should have also set PrivateTmp and ProtectHome to yes. This patch should have also only been applied on Leap 15 as tumbleweed does have dynamic users. See https://github.com/cockpit-project/bots/issues/7699 for motivation 2025-04-29 12:54:06 +05:30			`Date: Mon, 28 Apr 2025 12:40:31 +0530`
			`Subject: [PATCH] Remove DynamicUser setting as these conflict with real users`
Dynamic users are completely different on this version of cockpit We need to do various changes to get these fixed since we don't ship systemd in nsswitch.conf 2025-01-30 11:33:11 +00:00
			`Real users are having to be created due to Leap15.6's nsswitch not`
			`containing systemd, so dynamic users cannot be resolved inter`
			`service due to this we must manually create the users postinstall`
Fix: Update patch 108 and only apply on leap 15 Patch 108(0007-Remove-DynamicUser-setting-as-these-conflict-with-re.patch) sets DynamicUser to no,This should have also set PrivateTmp and ProtectHome to yes. This patch should have also only been applied on Leap 15 as tumbleweed does have dynamic users. See https://github.com/cockpit-project/bots/issues/7699 for motivation 2025-04-29 12:54:06 +05:30
			`Co-authored-by: Luna D Dragon <luna.dragon@suse.com>`
Dynamic users are completely different on this version of cockpit We need to do various changes to get these fixed since we don't ship systemd in nsswitch.conf 2025-01-30 11:33:11 +00:00			`---`
Fix: Update patch 108 and only apply on leap 15 Patch 108(0007-Remove-DynamicUser-setting-as-these-conflict-with-re.patch) sets DynamicUser to no,This should have also set PrivateTmp and ProtectHome to yes. This patch should have also only been applied on Leap 15 as tumbleweed does have dynamic users. See https://github.com/cockpit-project/bots/issues/7699 for motivation 2025-04-29 12:54:06 +05:30			`src/systemd/cockpit-wsinstance-http.service.in \| 4 +++-`
			`src/systemd/cockpit-wsinstance-https@.service.in \| 4 +++-`
			`src/systemd/cockpit.service.in \| 4 +++-`
			`3 files changed, 9 insertions(+), 3 deletions(-)`
Dynamic users are completely different on this version of cockpit We need to do various changes to get these fixed since we don't ship systemd in nsswitch.conf 2025-01-30 11:33:11 +00:00
			`diff --git a/src/systemd/cockpit-wsinstance-http.service.in b/src/systemd/cockpit-wsinstance-http.service.in`
Fix: Update patch 108 and only apply on leap 15 Patch 108(0007-Remove-DynamicUser-setting-as-these-conflict-with-re.patch) sets DynamicUser to no,This should have also set PrivateTmp and ProtectHome to yes. This patch should have also only been applied on Leap 15 as tumbleweed does have dynamic users. See https://github.com/cockpit-project/bots/issues/7699 for motivation 2025-04-29 12:54:06 +05:30			`index 539b90345..dfc9f3b1b 100644`
Dynamic users are completely different on this version of cockpit We need to do various changes to get these fixed since we don't ship systemd in nsswitch.conf 2025-01-30 11:33:11 +00:00			`--- a/src/systemd/cockpit-wsinstance-http.service.in`
			`+++ b/src/systemd/cockpit-wsinstance-http.service.in`
Fix: Update patch 108 and only apply on leap 15 Patch 108(0007-Remove-DynamicUser-setting-as-these-conflict-with-re.patch) sets DynamicUser to no,This should have also set PrivateTmp and ProtectHome to yes. This patch should have also only been applied on Leap 15 as tumbleweed does have dynamic users. See https://github.com/cockpit-project/bots/issues/7699 for motivation 2025-04-29 12:54:06 +05:30			`@@ -7,7 +7,9 @@ After=cockpit-session.socket`
Dynamic users are completely different on this version of cockpit We need to do various changes to get these fixed since we don't ship systemd in nsswitch.conf 2025-01-30 11:33:11 +00:00
			`[Service]`
			`ExecStart=@libexecdir@/cockpit-ws --no-tls --port=0`
			`-DynamicUser=yes`
			`+DynamicUser=no`
Fix: Update patch 108 and only apply on leap 15 Patch 108(0007-Remove-DynamicUser-setting-as-these-conflict-with-re.patch) sets DynamicUser to no,This should have also set PrivateTmp and ProtectHome to yes. This patch should have also only been applied on Leap 15 as tumbleweed does have dynamic users. See https://github.com/cockpit-project/bots/issues/7699 for motivation 2025-04-29 12:54:06 +05:30			`+PrivateTmp=yes`
			`+ProtectHome=yes`
Dynamic users are completely different on this version of cockpit We need to do various changes to get these fixed since we don't ship systemd in nsswitch.conf 2025-01-30 11:33:11 +00:00			`Group=cockpit-session-socket`

			`PrivateDevices=yes`
			`diff --git a/src/systemd/cockpit-wsinstance-https@.service.in b/src/systemd/cockpit-wsinstance-https@.service.in`
Fix: Update patch 108 and only apply on leap 15 Patch 108(0007-Remove-DynamicUser-setting-as-these-conflict-with-re.patch) sets DynamicUser to no,This should have also set PrivateTmp and ProtectHome to yes. This patch should have also only been applied on Leap 15 as tumbleweed does have dynamic users. See https://github.com/cockpit-project/bots/issues/7699 for motivation 2025-04-29 12:54:06 +05:30			`index f66c9f874..3c07bb9a7 100644`
Dynamic users are completely different on this version of cockpit We need to do various changes to get these fixed since we don't ship systemd in nsswitch.conf 2025-01-30 11:33:11 +00:00			`--- a/src/systemd/cockpit-wsinstance-https@.service.in`
			`+++ b/src/systemd/cockpit-wsinstance-https@.service.in`
Fix: Update patch 108 and only apply on leap 15 Patch 108(0007-Remove-DynamicUser-setting-as-these-conflict-with-re.patch) sets DynamicUser to no,This should have also set PrivateTmp and ProtectHome to yes. This patch should have also only been applied on Leap 15 as tumbleweed does have dynamic users. See https://github.com/cockpit-project/bots/issues/7699 for motivation 2025-04-29 12:54:06 +05:30			`@@ -8,7 +8,9 @@ After=cockpit-session.socket`
Dynamic users are completely different on this version of cockpit We need to do various changes to get these fixed since we don't ship systemd in nsswitch.conf 2025-01-30 11:33:11 +00:00			`[Service]`
			`Slice=system-cockpithttps.slice`
			`ExecStart=@libexecdir@/cockpit-ws --for-tls-proxy --port=0`
			`-DynamicUser=yes`
			`+DynamicUser=no`
Fix: Update patch 108 and only apply on leap 15 Patch 108(0007-Remove-DynamicUser-setting-as-these-conflict-with-re.patch) sets DynamicUser to no,This should have also set PrivateTmp and ProtectHome to yes. This patch should have also only been applied on Leap 15 as tumbleweed does have dynamic users. See https://github.com/cockpit-project/bots/issues/7699 for motivation 2025-04-29 12:54:06 +05:30			`+PrivateTmp=yes`
			`+ProtectHome=yes`
Dynamic users are completely different on this version of cockpit We need to do various changes to get these fixed since we don't ship systemd in nsswitch.conf 2025-01-30 11:33:11 +00:00			`Group=cockpit-session-socket`

			`PrivateDevices=yes`
			`diff --git a/src/systemd/cockpit.service.in b/src/systemd/cockpit.service.in`
Fix: Update patch 108 and only apply on leap 15 Patch 108(0007-Remove-DynamicUser-setting-as-these-conflict-with-re.patch) sets DynamicUser to no,This should have also set PrivateTmp and ProtectHome to yes. This patch should have also only been applied on Leap 15 as tumbleweed does have dynamic users. See https://github.com/cockpit-project/bots/issues/7699 for motivation 2025-04-29 12:54:06 +05:30			`index 97adda221..4b496fd3a 100644`
Dynamic users are completely different on this version of cockpit We need to do various changes to get these fixed since we don't ship systemd in nsswitch.conf 2025-01-30 11:33:11 +00:00			`--- a/src/systemd/cockpit.service.in`
			`+++ b/src/systemd/cockpit.service.in`
Fix: Update patch 108 and only apply on leap 15 Patch 108(0007-Remove-DynamicUser-setting-as-these-conflict-with-re.patch) sets DynamicUser to no,This should have also set PrivateTmp and ProtectHome to yes. This patch should have also only been applied on Leap 15 as tumbleweed does have dynamic users. See https://github.com/cockpit-project/bots/issues/7699 for motivation 2025-04-29 12:54:06 +05:30			`@@ -10,7 +10,9 @@ After=cockpit-wsinstance-http.socket cockpit-wsinstance-https-factory.socket`
Dynamic users are completely different on this version of cockpit We need to do various changes to get these fixed since we don't ship systemd in nsswitch.conf 2025-01-30 11:33:11 +00:00			`RuntimeDirectory=cockpit/tls`
			`ExecStartPre=+@libexecdir@/cockpit-certificate-ensure --for-cockpit-tls`
			`ExecStart=@libexecdir@/cockpit-tls`
			`-DynamicUser=yes`
			`+DynamicUser=no`
Fix: Update patch 108 and only apply on leap 15 Patch 108(0007-Remove-DynamicUser-setting-as-these-conflict-with-re.patch) sets DynamicUser to no,This should have also set PrivateTmp and ProtectHome to yes. This patch should have also only been applied on Leap 15 as tumbleweed does have dynamic users. See https://github.com/cockpit-project/bots/issues/7699 for motivation 2025-04-29 12:54:06 +05:30			`+PrivateTmp=yes`
			`+ProtectHome=yes`
Dynamic users are completely different on this version of cockpit We need to do various changes to get these fixed since we don't ship systemd in nsswitch.conf 2025-01-30 11:33:11 +00:00			`# otherwise systemd uses 'cockpit' even if it exists as a normal user account`
			`User=cockpit-systemd-service`
			`Group=cockpit-wsinstance-socket`
			`--`
Fix: Update patch 108 and only apply on leap 15 Patch 108(0007-Remove-DynamicUser-setting-as-these-conflict-with-re.patch) sets DynamicUser to no,This should have also set PrivateTmp and ProtectHome to yes. This patch should have also only been applied on Leap 15 as tumbleweed does have dynamic users. See https://github.com/cockpit-project/bots/issues/7699 for motivation 2025-04-29 12:54:06 +05:30			`2.49.0`
Dynamic users are completely different on this version of cockpit We need to do various changes to get these fixed since we don't ship systemd in nsswitch.conf 2025-01-30 11:33:11 +00:00