forked from cockpit/cockpit
Luna D Dragon
96c15c040c
Patch 108(0007-Remove-DynamicUser-setting-as-these-conflict-with-re.patch) sets DynamicUser to no,This should have also set PrivateTmp and ProtectHome to yes. This patch should have also only been applied on Leap 15 as tumbleweed does have dynamic users. See https://github.com/cockpit-project/bots/issues/7699 for motivation
65 lines
2.3 KiB
Diff
65 lines
2.3 KiB
Diff
From 3f0d624c5af89fc9ebe81d92351d8ac8e7583997 Mon Sep 17 00:00:00 2001
|
|
From: Alice Brooks <alice.brooks@suse.com>
|
|
Date: Mon, 28 Apr 2025 12:40:31 +0530
|
|
Subject: [PATCH] Remove DynamicUser setting as these conflict with real users
|
|
|
|
Real users are having to be created due to Leap15.6's nsswitch not
|
|
containing systemd, so dynamic users cannot be resolved inter
|
|
service due to this we must manually create the users postinstall
|
|
|
|
Co-authored-by: Luna D Dragon <luna.dragon@suse.com>
|
|
---
|
|
src/systemd/cockpit-wsinstance-http.service.in | 4 +++-
|
|
src/systemd/cockpit-wsinstance-https@.service.in | 4 +++-
|
|
src/systemd/cockpit.service.in | 4 +++-
|
|
3 files changed, 9 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/src/systemd/cockpit-wsinstance-http.service.in b/src/systemd/cockpit-wsinstance-http.service.in
|
|
index 539b90345..dfc9f3b1b 100644
|
|
--- a/src/systemd/cockpit-wsinstance-http.service.in
|
|
+++ b/src/systemd/cockpit-wsinstance-http.service.in
|
|
@@ -7,7 +7,9 @@ After=cockpit-session.socket
|
|
|
|
[Service]
|
|
ExecStart=@libexecdir@/cockpit-ws --no-tls --port=0
|
|
-DynamicUser=yes
|
|
+DynamicUser=no
|
|
+PrivateTmp=yes
|
|
+ProtectHome=yes
|
|
Group=cockpit-session-socket
|
|
|
|
PrivateDevices=yes
|
|
diff --git a/src/systemd/cockpit-wsinstance-https@.service.in b/src/systemd/cockpit-wsinstance-https@.service.in
|
|
index f66c9f874..3c07bb9a7 100644
|
|
--- a/src/systemd/cockpit-wsinstance-https@.service.in
|
|
+++ b/src/systemd/cockpit-wsinstance-https@.service.in
|
|
@@ -8,7 +8,9 @@ After=cockpit-session.socket
|
|
[Service]
|
|
Slice=system-cockpithttps.slice
|
|
ExecStart=@libexecdir@/cockpit-ws --for-tls-proxy --port=0
|
|
-DynamicUser=yes
|
|
+DynamicUser=no
|
|
+PrivateTmp=yes
|
|
+ProtectHome=yes
|
|
Group=cockpit-session-socket
|
|
|
|
PrivateDevices=yes
|
|
diff --git a/src/systemd/cockpit.service.in b/src/systemd/cockpit.service.in
|
|
index 97adda221..4b496fd3a 100644
|
|
--- a/src/systemd/cockpit.service.in
|
|
+++ b/src/systemd/cockpit.service.in
|
|
@@ -10,7 +10,9 @@ After=cockpit-wsinstance-http.socket cockpit-wsinstance-https-factory.socket
|
|
RuntimeDirectory=cockpit/tls
|
|
ExecStartPre=+@libexecdir@/cockpit-certificate-ensure --for-cockpit-tls
|
|
ExecStart=@libexecdir@/cockpit-tls
|
|
-DynamicUser=yes
|
|
+DynamicUser=no
|
|
+PrivateTmp=yes
|
|
+ProtectHome=yes
|
|
# otherwise systemd uses 'cockpit' even if it exists as a normal user account
|
|
User=cockpit-systemd-service
|
|
Group=cockpit-wsinstance-socket
|
|
--
|
|
2.49.0
|
|
|