From 26f5aa862633e94bd0343ca6d2a7a86099523d27 Mon Sep 17 00:00:00 2001 From: Martin Pitt Date: Thu, 21 Nov 2024 20:11:40 +0100 Subject: [PATCH 1/5] tools: Fix dpkg-statoverride cleanup postinst scripts can also be called in "abort-upgrade" and "abort-remove" mode. Don't clean up the statoverride in these cases. Fixes commit 98f3d6f8b6. --- tools/debian/cockpit-ws.postinst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/debian/cockpit-ws.postinst b/tools/debian/cockpit-ws.postinst index 9017d6829a2c..2d22c17eaf7e 100644 --- a/tools/debian/cockpit-ws.postinst +++ b/tools/debian/cockpit-ws.postinst @@ -4,7 +4,7 @@ set -e #DEBHELPER# # remove dpkg-statoverride on upgrade -if dpkg-statoverride --list /usr/lib/cockpit/cockpit-session >/dev/null; then +if [ "$1" = "configure" ] && dpkg-statoverride --list /usr/lib/cockpit/cockpit-session >/dev/null; then dpkg-statoverride --remove /usr/lib/cockpit/cockpit-session chmod 755 /usr/lib/cockpit/cockpit-session chgrp root /usr/lib/cockpit/cockpit-session From 5911fb9b02723d8148f2f05561a62181af126f90 Mon Sep 17 00:00:00 2001 From: Allison Karlitskaya Date: Tue, 11 Jan 2022 08:52:06 +0100 Subject: [PATCH 2/5] systemd: dynamic group for /run/cockpit/session Unfortunately, socket units can't set DynamicUser=yes [1], so add a dependency on a separate .service created just for this purpose. /run/cockpit/session is now owned by group cockpit-session-socket which also gets added as a supplementary group to the cockpit-ws units. Adjust the proxy tests accordingly. [1] https://github.com/systemd/systemd/issues/23067 --- src/systemd/Makefile.am | 1 + src/systemd/cockpit-session-socket-user.service | 11 +++++++++++ src/systemd/cockpit-session.socket | 5 ++++- src/systemd/cockpit-wsinstance-http.service.in | 5 +++-- src/systemd/cockpit-wsinstance-https@.service.in | 5 +++-- test/verify/check-connection | 6 +++--- tools/cockpit.spec | 1 + tools/debian/cockpit-ws.install | 1 + 8 files changed, 27 insertions(+), 8 deletions(-) create mode 100644 src/systemd/cockpit-session-socket-user.service diff --git a/src/systemd/Makefile.am b/src/systemd/Makefile.am index 94ac4ac57807..99b6a036719c 100644 --- a/src/systemd/Makefile.am +++ b/src/systemd/Makefile.am @@ -31,6 +31,7 @@ nodist_systemdunit_DATA = \ dist_systemdunit_DATA = \ src/systemd/cockpit-session.socket \ + src/systemd/cockpit-session-socket-user.service \ src/systemd/cockpit-ws-user.service \ src/systemd/system-cockpithttps.slice \ src/systemd/cockpit-wsinstance-http.socket \ diff --git a/src/systemd/cockpit-session-socket-user.service b/src/systemd/cockpit-session-socket-user.service new file mode 100644 index 000000000000..4aeadd9b9292 --- /dev/null +++ b/src/systemd/cockpit-session-socket-user.service @@ -0,0 +1,11 @@ +[Unit] +Description=Dynamic user for /run/cockpit/session socket +BindsTo=cockpit-session.socket + +[Service] +DynamicUser=yes +User=cockpit-session-socket +Group=cockpit-session-socket +Type=oneshot +ExecStart=/bin/true +RemainAfterExit=yes diff --git a/src/systemd/cockpit-session.socket b/src/systemd/cockpit-session.socket index 74d9b537c668..57df4386a80e 100644 --- a/src/systemd/cockpit-session.socket +++ b/src/systemd/cockpit-session.socket @@ -1,10 +1,13 @@ [Unit] Description=Initiator socket for Cockpit sessions +PartOf=cockpit.service +Requires=cockpit-session-socket-user.service +After=cockpit-session-socket-user.service [Socket] ListenStream=/run/cockpit/session SocketUser=root -SocketGroup=cockpit-wsinstance +SocketGroup=cockpit-session-socket SocketMode=0660 RemoveOnStop=yes Accept=yes diff --git a/src/systemd/cockpit-wsinstance-http.service.in b/src/systemd/cockpit-wsinstance-http.service.in index a6860f26ba5a..f29518017331 100644 --- a/src/systemd/cockpit-wsinstance-http.service.in +++ b/src/systemd/cockpit-wsinstance-http.service.in @@ -2,10 +2,11 @@ Description=Cockpit Web Service http instance Documentation=man:cockpit-ws(8) BindsTo=cockpit.service -Requires=cockpit-session.socket -After=cockpit-session.socket +Requires=cockpit-session.socket cockpit-session-socket-user.service +After=cockpit-session.socket cockpit-session-socket-user.service [Service] ExecStart=@libexecdir@/cockpit-ws --no-tls --port=0 User=cockpit-wsinstance Group=cockpit-wsinstance +SupplementaryGroups=cockpit-session-socket diff --git a/src/systemd/cockpit-wsinstance-https@.service.in b/src/systemd/cockpit-wsinstance-https@.service.in index b7a3977e6d4c..e7b619f59635 100644 --- a/src/systemd/cockpit-wsinstance-https@.service.in +++ b/src/systemd/cockpit-wsinstance-https@.service.in @@ -2,11 +2,12 @@ Description=Cockpit Web Service https instance %I Documentation=man:cockpit-ws(8) BindsTo=cockpit.service -Requires=cockpit-session.socket -After=cockpit-session.socket +Requires=cockpit-session.socket cockpit-session-socket-user.service +After=cockpit-session.socket cockpit-session-socket-user.service [Service] Slice=system-cockpithttps.slice ExecStart=@libexecdir@/cockpit-ws --for-tls-proxy --port=0 User=cockpit-wsinstance Group=cockpit-wsinstance +SupplementaryGroups=cockpit-session-socket diff --git a/test/verify/check-connection b/test/verify/check-connection index acaa53cf43d5..11efcba645cc 100755 --- a/test/verify/check-connection +++ b/test/verify/check-connection @@ -1005,7 +1005,7 @@ until pgrep -f '^(/usr/[^ ]+/[^ /]*python[^ /]* )?/usr/bin/cockpit-bridge'; do s # ws with plain --no-tls should fail after login with mismatching Origin (expected http, got https) m.execute("systemctl start cockpit-session.socket") - m.spawn(f"runuser -u cockpit-wsinstance -- {self.ws_executable} --no-tls -p 9099", + m.spawn(f"runuser -u cockpit-session-socket -- {self.ws_executable} --no-tls -p 9099", "ws-notls.log") m.wait_for_cockpit_running(tls=True) @@ -1038,7 +1038,7 @@ until pgrep -f '^(/usr/[^ ]+/[^ /]*python[^ /]* )?/usr/bin/cockpit-bridge'; do s self.allow_browser_errors("Error reading machine id") # ws with --for-tls-proxy accepts only https origins, thus should work - m.spawn(f"runuser -u cockpit-wsinstance -- {self.ws_executable} --for-tls-proxy -p 9099 -a 127.0.0.1", + m.spawn(f"runuser -u cockpit-session-socket -- {self.ws_executable} --for-tls-proxy -p 9099 -a 127.0.0.1", "ws-fortlsproxy.log") m.wait_for_cockpit_running(tls=True) b.open(f"https://{b.address}:{b.port}/system") @@ -1441,7 +1441,7 @@ server { def run_ws(extra_opts=""): m.spawn( - f"runuser -u cockpit-wsinstance -- {self.libexecdir}/cockpit-ws " + f"runuser -u cockpit-session-socket -- {self.libexecdir}/cockpit-ws " f"--address=127.0.0.1 --for-tls-proxy {extra_opts}", "ws.log") m.wait_for_cockpit_running() diff --git a/tools/cockpit.spec b/tools/cockpit.spec index ca23a65f3b76..da8de4404656 100644 --- a/tools/cockpit.spec +++ b/tools/cockpit.spec @@ -378,6 +378,7 @@ authentication via sssd/FreeIPA. %{_unitdir}/cockpit-motd.service %{_unitdir}/cockpit.socket %{_unitdir}/cockpit-ws-user.service +%{_unitdir}/cockpit-session-socket-user.service %{_unitdir}/cockpit-session.socket %{_unitdir}/cockpit-session@.service %{_unitdir}/cockpit-wsinstance-http.socket diff --git a/tools/debian/cockpit-ws.install b/tools/debian/cockpit-ws.install index 8e470709f817..bf118069f330 100644 --- a/tools/debian/cockpit-ws.install +++ b/tools/debian/cockpit-ws.install @@ -5,6 +5,7 @@ ${env:deb_systemdsystemunitdir}/cockpit-motd.service ${env:deb_systemdsystemunitdir}/cockpit.socket ${env:deb_systemdsystemunitdir}/cockpit-session.socket ${env:deb_systemdsystemunitdir}/cockpit-session@.service +${env:deb_systemdsystemunitdir}/cockpit-session-socket-user.service ${env:deb_systemdsystemunitdir}/cockpit-ws-user.service ${env:deb_systemdsystemunitdir}/cockpit-wsinstance-http.service ${env:deb_systemdsystemunitdir}/cockpit-wsinstance-http.socket From 8ae0d32767421a0dda3d6a2c49469c1cea8d901a Mon Sep 17 00:00:00 2001 From: Allison Karlitskaya Date: Tue, 11 Jan 2022 08:52:06 +0100 Subject: [PATCH 3/5] systemd: dynamic group for wsinstance sockets Similar to the last commit, we create a dynamic group for the sockets in /run/cockpit/wsinstance and add a supplementary group to cockpit-tls. --- src/systemd/Makefile.am | 1 + src/systemd/cockpit-wsinstance-http.service.in | 4 ++-- src/systemd/cockpit-wsinstance-http.socket | 9 +++++---- src/systemd/cockpit-wsinstance-https-factory.socket | 9 +++++---- src/systemd/cockpit-wsinstance-https@.service.in | 4 ++-- src/systemd/cockpit-wsinstance-https@.socket | 9 +++++---- src/systemd/cockpit-wsinstance-socket-user.service | 11 +++++++++++ src/systemd/cockpit.service.in | 5 +++-- src/tls/README.md | 4 ++-- test/verify/check-connection | 2 +- tools/cockpit.spec | 1 + tools/debian/cockpit-ws.install | 1 + 12 files changed, 39 insertions(+), 21 deletions(-) create mode 100644 src/systemd/cockpit-wsinstance-socket-user.service diff --git a/src/systemd/Makefile.am b/src/systemd/Makefile.am index 99b6a036719c..761b909c353e 100644 --- a/src/systemd/Makefile.am +++ b/src/systemd/Makefile.am @@ -37,6 +37,7 @@ dist_systemdunit_DATA = \ src/systemd/cockpit-wsinstance-http.socket \ src/systemd/cockpit-wsinstance-https-factory.socket \ src/systemd/cockpit-wsinstance-https@.socket \ + src/systemd/cockpit-wsinstance-socket-user.service \ $(NULL) # ----------------- diff --git a/src/systemd/cockpit-wsinstance-http.service.in b/src/systemd/cockpit-wsinstance-http.service.in index f29518017331..7f4058021c38 100644 --- a/src/systemd/cockpit-wsinstance-http.service.in +++ b/src/systemd/cockpit-wsinstance-http.service.in @@ -7,6 +7,6 @@ After=cockpit-session.socket cockpit-session-socket-user.service [Service] ExecStart=@libexecdir@/cockpit-ws --no-tls --port=0 -User=cockpit-wsinstance -Group=cockpit-wsinstance +User=cockpit-wsinstance-socket +Group=cockpit-wsinstance-socket SupplementaryGroups=cockpit-session-socket diff --git a/src/systemd/cockpit-wsinstance-http.socket b/src/systemd/cockpit-wsinstance-http.socket index bfaf62a5f06e..9b4d51c7f12d 100644 --- a/src/systemd/cockpit-wsinstance-http.socket +++ b/src/systemd/cockpit-wsinstance-http.socket @@ -3,11 +3,12 @@ Description=Socket for Cockpit Web Service http instance Documentation=man:cockpit-ws(8) BindsTo=cockpit.service # ensure our DynamicUser exists -Requires=cockpit-ws-user.service -After=cockpit-ws-user.service +Requires=cockpit-ws-user.service cockpit-wsinstance-socket-user.service +After=cockpit-ws-user.service cockpit-wsinstance-socket-user.service [Socket] ListenStream=/run/cockpit/wsinstance/http.sock -SocketUser=cockpit-ws -SocketMode=0600 +SocketUser=root +SocketGroup=cockpit-wsinstance-socket +SocketMode=0660 RemoveOnStop=yes diff --git a/src/systemd/cockpit-wsinstance-https-factory.socket b/src/systemd/cockpit-wsinstance-https-factory.socket index 1179afa2fce7..03b6e832c6e4 100644 --- a/src/systemd/cockpit-wsinstance-https-factory.socket +++ b/src/systemd/cockpit-wsinstance-https-factory.socket @@ -3,12 +3,13 @@ Description=Socket for Cockpit Web Service https instance factory Documentation=man:cockpit-ws(8) BindsTo=cockpit.service # ensure our DynamicUser exists -Requires=cockpit-ws-user.service -After=cockpit-ws-user.service +Requires=cockpit-ws-user.service cockpit-wsinstance-socket-user.service +After=cockpit-ws-user.service cockpit-wsinstance-socket-user.service [Socket] ListenStream=/run/cockpit/wsinstance/https-factory.sock Accept=yes -SocketUser=cockpit-ws -SocketMode=0600 +SocketUser=root +SocketGroup=cockpit-wsinstance-socket +SocketMode=0660 RemoveOnStop=yes diff --git a/src/systemd/cockpit-wsinstance-https@.service.in b/src/systemd/cockpit-wsinstance-https@.service.in index e7b619f59635..b1f0b0d70158 100644 --- a/src/systemd/cockpit-wsinstance-https@.service.in +++ b/src/systemd/cockpit-wsinstance-https@.service.in @@ -8,6 +8,6 @@ After=cockpit-session.socket cockpit-session-socket-user.service [Service] Slice=system-cockpithttps.slice ExecStart=@libexecdir@/cockpit-ws --for-tls-proxy --port=0 -User=cockpit-wsinstance -Group=cockpit-wsinstance +User=cockpit-wsinstance-socket +Group=cockpit-wsinstance-socket SupplementaryGroups=cockpit-session-socket diff --git a/src/systemd/cockpit-wsinstance-https@.socket b/src/systemd/cockpit-wsinstance-https@.socket index 863801fc0a2b..43e342d328b8 100644 --- a/src/systemd/cockpit-wsinstance-https@.socket +++ b/src/systemd/cockpit-wsinstance-https@.socket @@ -7,11 +7,12 @@ BindsTo=cockpit.service # the services are resource-limited by system-cockpithttps.slice BindsTo=cockpit-wsinstance-https@%i.service # ensure our DynamicUser exists -Requires=cockpit-ws-user.service -After=cockpit-ws-user.service +Requires=cockpit-ws-user.service cockpit-wsinstance-socket-user.service +After=cockpit-ws-user.service cockpit-wsinstance-socket-user.service [Socket] ListenStream=/run/cockpit/wsinstance/https@%i.sock -SocketUser=cockpit-ws -SocketMode=0600 +SocketUser=root +SocketGroup=cockpit-wsinstance-socket +SocketMode=0660 RemoveOnStop=yes diff --git a/src/systemd/cockpit-wsinstance-socket-user.service b/src/systemd/cockpit-wsinstance-socket-user.service new file mode 100644 index 000000000000..cded24a5fac9 --- /dev/null +++ b/src/systemd/cockpit-wsinstance-socket-user.service @@ -0,0 +1,11 @@ +[Unit] +Description=Dynamic user for /run/cockpit/wsinstance/ sockets +BindsTo=cockpit.service + +[Service] +DynamicUser=yes +User=cockpit-wsinstance-socket +Group=cockpit-wsinstance-socket +Type=oneshot +ExecStart=/bin/true +RemainAfterExit=yes diff --git a/src/systemd/cockpit.service.in b/src/systemd/cockpit.service.in index 82756bfbc078..34598ba2524c 100644 --- a/src/systemd/cockpit.service.in +++ b/src/systemd/cockpit.service.in @@ -4,8 +4,8 @@ Documentation=man:cockpit-ws(8) Requires=cockpit.socket Requires=cockpit-wsinstance-http.socket cockpit-wsinstance-https-factory.socket # ensure our DynamicUser exists -Requires=cockpit-ws-user.service -After=cockpit-ws-user.service +Requires=cockpit-ws-user.service cockpit-wsinstance-socket-user.service +After=cockpit-ws-user.service cockpit-wsinstance-socket-user.service # we need to start after the sockets so that we can instantly forward incoming requests After=cockpit-wsinstance-http.socket cockpit-wsinstance-https-factory.socket @@ -17,6 +17,7 @@ ExecStartPre=+@libexecdir@/cockpit-certificate-ensure --for-cockpit-tls ExecStart=@libexecdir@/cockpit-tls User=cockpit-ws Group=cockpit-ws +SupplementaryGroups=cockpit-wsinstance-socket NoNewPrivileges=true ProtectSystem=strict ProtectHome=true diff --git a/src/tls/README.md b/src/tls/README.md index 36d512fefd66..c8ed4cc5fe87 100644 --- a/src/tls/README.md +++ b/src/tls/README.md @@ -73,8 +73,8 @@ use of systemd features. reads the fingerprint from stdin, and asks systemd to start a new [cockpit-wsinstance-https@fingerprint.socket](../src/ws/cockpit-wsinstance-https@.socket.in) and .service pair. - * Each instance runs in its own systemd cgroup, as another unprivileged system - user `cockpit-wsinstance`. + * Each instance runs in its own systemd cgroup, as another unprivileged + dynamic system user `cockpit-wsinstance-socket`. * cockpit-tls exports the client certificates to `/run/cockpit/tls/` while there is at least one open connection with that certificate, i. e. as long as there is an active Cockpit session. diff --git a/test/verify/check-connection b/test/verify/check-connection index 11efcba645cc..40090a82db1c 100755 --- a/test/verify/check-connection +++ b/test/verify/check-connection @@ -332,7 +332,7 @@ class TestConnection(testlib.MachineCase): # number of https instances is bounded (DoS prevention) # with MaxTasks=200 und 2 threads per ws instance we should have a # rough limit of 100 instances, so at some point curl should start failing - m.execute("runuser -u cockpit-ws -- sh -ec 'RC=1; for i in `seq 120`; do " + m.execute("runuser -u cockpit-wsinstance-socket -- sh -ec 'RC=1; for i in `seq 120`; do " " echo -n $i | nc %s -U /run/cockpit/wsinstance/https-factory.sock;" " curl --silent --head --max-time 5 --unix-socket /run/cockpit/wsinstance/https@$i.sock http://dummy > /dev/null || RC=0; " "done; exit $RC'" % n_opt) diff --git a/tools/cockpit.spec b/tools/cockpit.spec index da8de4404656..2aa689d14ed5 100644 --- a/tools/cockpit.spec +++ b/tools/cockpit.spec @@ -387,6 +387,7 @@ authentication via sssd/FreeIPA. %{_unitdir}/cockpit-wsinstance-https-factory@.service %{_unitdir}/cockpit-wsinstance-https@.socket %{_unitdir}/cockpit-wsinstance-https@.service +%{_unitdir}/cockpit-wsinstance-socket-user.service %{_unitdir}/system-cockpithttps.slice %{_prefix}/%{__lib}/tmpfiles.d/cockpit-ws.conf %{_sysusersdir}/cockpit-wsinstance.conf diff --git a/tools/debian/cockpit-ws.install b/tools/debian/cockpit-ws.install index bf118069f330..8fab44a15f95 100644 --- a/tools/debian/cockpit-ws.install +++ b/tools/debian/cockpit-ws.install @@ -13,6 +13,7 @@ ${env:deb_systemdsystemunitdir}/cockpit-wsinstance-https-factory@.service ${env:deb_systemdsystemunitdir}/cockpit-wsinstance-https-factory.socket ${env:deb_systemdsystemunitdir}/cockpit-wsinstance-https@.service ${env:deb_systemdsystemunitdir}/cockpit-wsinstance-https@.socket +${env:deb_systemdsystemunitdir}/cockpit-wsinstance-socket-user.service ${env:deb_systemdsystemunitdir}/system-cockpithttps.slice ${env:deb_pamlibdir}/security/pam_ssh_add.so ${env:deb_pamlibdir}/security/pam_cockpit_cert.so From e438ef21abe6f8d9614aa390bed21bec6f48a498 Mon Sep 17 00:00:00 2001 From: Allison Karlitskaya Date: Tue, 11 Jan 2022 08:52:06 +0100 Subject: [PATCH 4/5] .gitignore: only ignore cockpit.socket We only dynamically generate a single .socket file now. The rest of them are in version control and installed verbatim. --- .gitignore | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 8e3d84252791..b6d108ec306e 100644 --- a/.gitignore +++ b/.gitignore @@ -76,7 +76,7 @@ Makefile.in /src/cockpit.egg-info/ /src/common/fail-html.c /src/systemd/cockpit*.service -/src/systemd/cockpit*.socket +/src/systemd/cockpit.socket /src/systemd/tmpfiles.d/cockpit-ws.conf /src/tls/cockpit-certificate-helper /src/ws/cockpit-desktop From 73875c21a7aa91b7daccf4525404d74cfc23e41e Mon Sep 17 00:00:00 2001 From: Allison Karlitskaya Date: Tue, 11 Jan 2022 08:52:06 +0100 Subject: [PATCH 5/5] systemd, tools: stop creating static cockpit-wsinstance user Clean it up on package upgrades. Unlike the old `cockpit-ws` user, this user never owned any files on disk (other than cockpit-system), so this is safe. Co-Authored-By: Martin Pitt --- src/systemd/Makefile.am | 5 ----- src/systemd/sysusers.d/cockpit-wsinstance.conf | 1 - tools/cockpit.spec | 11 +++++------ tools/debian/cockpit-ws.install | 1 - tools/debian/cockpit-ws.postinst | 6 ++++++ tools/debian/rules | 4 ---- 6 files changed, 11 insertions(+), 17 deletions(-) delete mode 100644 src/systemd/sysusers.d/cockpit-wsinstance.conf diff --git a/src/systemd/Makefile.am b/src/systemd/Makefile.am index 761b909c353e..75d6064beb83 100644 --- a/src/systemd/Makefile.am +++ b/src/systemd/Makefile.am @@ -59,11 +59,6 @@ tmpfilesconfdir = $(prefix)/lib/tmpfiles.d systemdgenerated += $(nodist_tmpfilesconf_DATA) nodist_tmpfilesconf_DATA = src/systemd/tmpfiles.d/cockpit-ws.conf -# ----------------- -# sysusers -sysusersconfdir = $(prefix)/lib/sysusers.d -dist_sysusersconf_DATA = src/systemd/sysusers.d/cockpit-wsinstance.conf - # ----------------- # Policykit polkitdir = $(datadir)/polkit-1/actions diff --git a/src/systemd/sysusers.d/cockpit-wsinstance.conf b/src/systemd/sysusers.d/cockpit-wsinstance.conf deleted file mode 100644 index 3f8775bbba5d..000000000000 --- a/src/systemd/sysusers.d/cockpit-wsinstance.conf +++ /dev/null @@ -1 +0,0 @@ -u cockpit-wsinstance - "User for cockpit-ws instances" - diff --git a/tools/cockpit.spec b/tools/cockpit.spec index 2aa689d14ed5..b26c5b32d98c 100644 --- a/tools/cockpit.spec +++ b/tools/cockpit.spec @@ -390,7 +390,6 @@ authentication via sssd/FreeIPA. %{_unitdir}/cockpit-wsinstance-socket-user.service %{_unitdir}/system-cockpithttps.slice %{_prefix}/%{__lib}/tmpfiles.d/cockpit-ws.conf -%{_sysusersdir}/cockpit-wsinstance.conf %{pamdir}/pam_ssh_add.so %{pamdir}/pam_cockpit_cert.so %{_libexecdir}/cockpit-ws @@ -409,11 +408,6 @@ authentication via sssd/FreeIPA. %ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name} %pre ws -# HACK: old RPM and even Fedora's current RPM don't properly support sysusers -# https://github.com/rpm-software-management/rpm/issues/3073 -getent group cockpit-wsinstance >/dev/null || groupadd -r cockpit-wsinstance -getent passwd cockpit-wsinstance >/dev/null || useradd -r -g cockpit-wsinstance -d /nonexisting -s /sbin/nologin -c "User for cockpit-ws instances" cockpit-wsinstance - if %{_sbindir}/selinuxenabled 2>/dev/null; then %selinux_relabel_pre -s %{selinuxtype} fi @@ -448,6 +442,11 @@ if test -f %{_sysconfdir}/pam.d/cockpit && grep -q pam_cockpit_cert %{_sysconfd echo '**** WARNING:' fi +# remove obsolete system user on upgrade (replaced with DynamicUser in version 330) +if getent passwd cockpit-wsinstance >/dev/null; then + userdel cockpit-wsinstance +fi + %preun ws %systemd_preun cockpit.socket cockpit.service diff --git a/tools/debian/cockpit-ws.install b/tools/debian/cockpit-ws.install index 8fab44a15f95..5c9c16d76e80 100644 --- a/tools/debian/cockpit-ws.install +++ b/tools/debian/cockpit-ws.install @@ -18,7 +18,6 @@ ${env:deb_systemdsystemunitdir}/system-cockpithttps.slice ${env:deb_pamlibdir}/security/pam_ssh_add.so ${env:deb_pamlibdir}/security/pam_cockpit_cert.so usr/lib/tmpfiles.d/cockpit-ws.conf -usr/lib/sysusers.d/cockpit-wsinstance.conf usr/lib/cockpit/cockpit-session usr/lib/cockpit/cockpit-ws usr/lib/cockpit/cockpit-wsinstance-factory diff --git a/tools/debian/cockpit-ws.postinst b/tools/debian/cockpit-ws.postinst index 2d22c17eaf7e..940c8aaec3c1 100644 --- a/tools/debian/cockpit-ws.postinst +++ b/tools/debian/cockpit-ws.postinst @@ -10,6 +10,12 @@ if [ "$1" = "configure" ] && dpkg-statoverride --list /usr/lib/cockpit/cockpit-s chgrp root /usr/lib/cockpit/cockpit-session fi +# remove obsolete system user on upgrade (replaced with DynamicUser in version 330) +if [ "$1" = "configure" ] && getent passwd cockpit-wsinstance >/dev/null; then + echo "Cleaning up obsolete static cockpit-wsinstance user" + deluser --system cockpit-wsinstance +fi + # restart cockpit.service on package upgrades, if it's already running if [ -d /run/systemd/system ] && [ -n "$2" ]; then deb-systemd-invoke try-restart cockpit.service >/dev/null || true diff --git a/tools/debian/rules b/tools/debian/rules index 229845cf2d27..b7540ac5e294 100755 --- a/tools/debian/rules +++ b/tools/debian/rules @@ -87,7 +87,3 @@ else NO_QUNIT=1 pytest -vv -k 'not linter and not test_descriptions' -opythonpath=$$(ls -d debian/cockpit-bridge/usr/lib/python3*/dist-packages) endif endif - -# dh compat 14 does that automatically, remove when upgrading -execute_before_dh_installtmpfiles: - dh_installsysusers