all: stop creating static users

Move all remaining systemd services over to DynamicUser=yes and remove
the variables from configure.ac and the build system.

Adjust the distribution packaging.

Author: allisonkarlitskaya

configure.ac

@@ -274,62 +274,6 @@ fi
 AM_CONDITIONAL(WITH_ASAN, test "$enable_asan" = "yes")
 AC_MSG_RESULT($asan_status)
 
-# User and group for running cockpit web server (cockpit-tls or -ws in customized setups)
-
-AC_ARG_WITH(cockpit_user,
-	    AS_HELP_STRING([--with-cockpit-user=<user>],
-			   [User for running cockpit (root)]
-                          )
-           )
-AC_ARG_WITH(cockpit_group,
-	    AS_HELP_STRING([--with-cockpit-group=<group>],
-			   [Group for running cockpit]
-                          )
-           )
-if test -z "$with_cockpit_user"; then
-    COCKPIT_USER=root
-    COCKPIT_GROUP=
-else
-    COCKPIT_USER=$with_cockpit_user
-    if test -z "$with_cockpit_group"; then
-        COCKPIT_GROUP=$with_cockpit_user
-    else
-	COCKPIT_GROUP=$with_cockpit_group
-    fi
-fi
-
-AC_SUBST(COCKPIT_USER)
-AC_SUBST(COCKPIT_GROUP)
-
-# User for running cockpit-ws instances from cockpit-tls
-
-AC_ARG_WITH(cockpit_ws_instance_user,
-	    AS_HELP_STRING([--with-cockpit-ws-instance-user=<user>],
-			   [User for running cockpit-ws instances from cockpit-tls (root)]
-                          )
-           )
-AC_ARG_WITH(cockpit_ws_instance_group,
-	    AS_HELP_STRING([--with-cockpit-ws-instance-group=<group>],
-			   [Group for running cockpit-ws instances from cockpit-tls]
-                          )
-           )
-if test -z "$with_cockpit_ws_instance_user"; then
-    if test "$COCKPIT_USER" != "root"; then
-        AC_MSG_ERROR([--with-cockpit-ws-instance-user is required when setting --with-cockpit-user])
-    fi
-    COCKPIT_WSINSTANCE_USER=root
-else
-    COCKPIT_WSINSTANCE_USER=$with_cockpit_ws_instance_user
-    if test -z "$with_cockpit_ws_instance_group"; then
-        COCKPIT_WSINSTANCE_GROUP=$with_cockpit_ws_instance_user
-    else
-        COCKPIT_WSINSTANCE_GROUP=$with_cockpit_ws_instance_group
-    fi
-fi
-
-AC_SUBST(COCKPIT_WSINSTANCE_USER)
-AC_SUBST(COCKPIT_WSINSTANCE_GROUP)
-
 # admin users group
 AC_ARG_WITH([admin-group],
             [AS_HELP_STRING([--with-admin-group=GROUP],
@@ -495,10 +439,6 @@ echo "
         cflags:                     ${CFLAGS}
         cppflags:                   ${CPPFLAGS}
 
-        cockpit-ws user:            ${COCKPIT_USER}
-        cockpit-ws group:           ${COCKPIT_GROUP}
-        cockpit-ws instance user:   ${COCKPIT_WSINSTANCE_USER}
-        cockpit-ws instance group:  ${COCKPIT_WSINSTANCE_GROUP}
         admin group:                ${admin_group}
 
         Building docs:              ${enable_doc}

src/systemd/Makefile.am

@@ -41,11 +41,7 @@ src/systemd/%: src/systemd/%.in
 	-e 's,[@]PACKAGE[@],$(PACKAGE),g' \
 	-e 's,[@]admin_group[@],$(admin_group),g' \
 	-e 's,[@]datadir[@],$(datadir),g' \
-	-e 's,[@]group[@],$(COCKPIT_GROUP),g' \
 	-e 's,[@]libexecdir[@],$(libexecdir),g' \
-	-e 's,[@]user[@],$(COCKPIT_USER),g' \
-	-e 's,[@]wsinstancegroup[@],$(COCKPIT_WSINSTANCE_GROUP),g' \
-	-e 's,[@]wsinstanceuser[@],$(COCKPIT_WSINSTANCE_USER),g' \
 	$< > $@.tmp && mv -f $@.tmp $@
 
 systemdgenerated = \

src/systemd/cockpit-wsinstance-http.service.in

@@ -7,6 +7,5 @@ After=cockpit-session.socket cockpit-session-socket-owner.service
 
 [Service]
 ExecStart=@libexecdir@/cockpit-ws --no-tls --port=0
-User=@wsinstanceuser@
-Group=@wsinstancegroup@
+DynamicUser=true
 SupplementaryGroups=cockpit-session-socket

src/systemd/cockpit-wsinstance-https@.service.in

@@ -8,6 +8,5 @@ After=cockpit-session.socket cockpit-session-socket-owner.service
 [Service]
 Slice=system-cockpithttps.slice
 ExecStart=@libexecdir@/cockpit-ws --for-tls-proxy --port=0
-User=@wsinstanceuser@
-Group=@wsinstancegroup@
+DynamicUser=yes
 SupplementaryGroups=cockpit-session-socket

src/systemd/cockpit.service.in

@@ -11,8 +11,7 @@ RuntimeDirectory=cockpit/tls
 Environment=RUNTIME_DIRECTORY=/run/cockpit/tls
 ExecStartPre=+@libexecdir@/cockpit-certificate-ensure --for-cockpit-tls
 ExecStart=@libexecdir@/cockpit-tls
-User=@user@
-Group=@group@
+DynamicUser=yes
 SupplementaryGroups=cockpit-wsinstance-socket
 NoNewPrivileges=true
 ProtectSystem=strict

tools/cockpit.spec

@@ -164,8 +164,6 @@ Recommends: subscription-manager-cockpit
 exec 2>&1
 %configure \
     --disable-silent-rules \
-    --with-cockpit-user=cockpit-ws \
-    --with-cockpit-ws-instance-user=cockpit-wsinstance \
 %if 0%{?suse_version}
     --docdir=%_defaultdocdir/%{name} \
 %endif
@@ -516,10 +514,6 @@ authentication via sssd/FreeIPA.
 %endif
 
 %pre ws
-getent group cockpit-ws >/dev/null || groupadd -r cockpit-ws
-getent passwd cockpit-ws >/dev/null || useradd -r -g cockpit-ws -d /nonexisting -s /sbin/nologin -c "User for cockpit web service" cockpit-ws
-getent group cockpit-wsinstance >/dev/null || groupadd -r cockpit-wsinstance
-getent passwd cockpit-wsinstance >/dev/null || useradd -r -g cockpit-wsinstance -d /nonexisting -s /sbin/nologin -c "User for cockpit-ws instances" cockpit-wsinstance
 
 %if 0%{?with_selinux}
 if %{_sbindir}/selinuxenabled 2>/dev/null; then

tools/debian/cockpit-ws.postinst

@@ -1,9 +1,6 @@
 #!/bin/sh
 set -e
 
-adduser --system --group --home /nonexistent --no-create-home --quiet cockpit-ws
-adduser --system --group --home /nonexistent --no-create-home --quiet cockpit-wsinstance
-
 #DEBHELPER#
 
 # restart cockpit.service on package upgrades, if it's already running

tools/debian/rules

@@ -17,8 +17,6 @@ endif
 
 override_dh_auto_configure:
 	dh_auto_configure -- \
-		--with-cockpit-user=cockpit-ws \
-		--with-cockpit-ws-instance-user=cockpit-wsinstance \
 		--with-pamdir=/lib/$(DEB_HOST_MULTIARCH)/security \
 		--libexecdir=/usr/lib/cockpit $(CONFIG_OPTIONS)