use DynamicUser=yes for all cockpit components

src/systemd/Makefile.am

@@ -37,6 +37,7 @@ dist_systemdunit_DATA = \
 	src/systemd/cockpit-wsinstance-http.socket \
 	src/systemd/cockpit-wsinstance-https-factory.socket \
 	src/systemd/cockpit-wsinstance-https@.socket \
+	src/systemd/cockpit-wsinstance-socket-user.service \
 	$(NULL)
 
 # -----------------

src/systemd/cockpit-wsinstance-http.service.in

@@ -7,6 +7,6 @@ After=cockpit-session.socket cockpit-session-socket-user.service
 
 [Service]
 ExecStart=@libexecdir@/cockpit-ws --no-tls --port=0
-User=cockpit-wsinstance
-Group=cockpit-wsinstance
+User=cockpit-wsinstance-socket
+Group=cockpit-wsinstance-socket
 SupplementaryGroups=cockpit-session-socket

src/systemd/cockpit-wsinstance-http.socket

@@ -3,11 +3,12 @@ Description=Socket for Cockpit Web Service http instance
 Documentation=man:cockpit-ws(8)
 BindsTo=cockpit.service
 # ensure our DynamicUser exists
-Requires=cockpit-ws-user.service
-After=cockpit-ws-user.service
+Requires=cockpit-ws-user.service cockpit-wsinstance-socket-user.service
+After=cockpit-ws-user.service cockpit-wsinstance-socket-user.service
 
 [Socket]
 ListenStream=/run/cockpit/wsinstance/http.sock
-SocketUser=cockpit-ws
-SocketMode=0600
+SocketUser=root
+SocketGroup=cockpit-wsinstance-socket
+SocketMode=0660
 RemoveOnStop=yes

src/systemd/cockpit-wsinstance-https-factory.socket

@@ -3,12 +3,13 @@ Description=Socket for Cockpit Web Service https instance factory
 Documentation=man:cockpit-ws(8)
 BindsTo=cockpit.service
 # ensure our DynamicUser exists
-Requires=cockpit-ws-user.service
-After=cockpit-ws-user.service
+Requires=cockpit-ws-user.service cockpit-wsinstance-socket-user.service
+After=cockpit-ws-user.service cockpit-wsinstance-socket-user.service
 
 [Socket]
 ListenStream=/run/cockpit/wsinstance/https-factory.sock
 Accept=yes
-SocketUser=cockpit-ws
-SocketMode=0600
+SocketUser=root
+SocketGroup=cockpit-wsinstance-socket
+SocketMode=0660
 RemoveOnStop=yes

src/systemd/cockpit-wsinstance-https@.service.in

@@ -8,6 +8,6 @@ After=cockpit-session.socket cockpit-session-socket-user.service
 [Service]
 Slice=system-cockpithttps.slice
 ExecStart=@libexecdir@/cockpit-ws --for-tls-proxy --port=0
-User=cockpit-wsinstance
-Group=cockpit-wsinstance
+User=cockpit-wsinstance-socket
+Group=cockpit-wsinstance-socket
 SupplementaryGroups=cockpit-session-socket

src/systemd/cockpit-wsinstance-https@.socket

@@ -7,11 +7,12 @@ BindsTo=cockpit.service
 # the services are resource-limited by system-cockpithttps.slice
 BindsTo=cockpit-wsinstance-https@%i.service
 # ensure our DynamicUser exists
-Requires=cockpit-ws-user.service
-After=cockpit-ws-user.service
+Requires=cockpit-ws-user.service cockpit-wsinstance-socket-user.service
+After=cockpit-ws-user.service cockpit-wsinstance-socket-user.service
 
 [Socket]
 ListenStream=/run/cockpit/wsinstance/https@%i.sock
-SocketUser=cockpit-ws
-SocketMode=0600
+SocketUser=root
+SocketGroup=cockpit-wsinstance-socket
+SocketMode=0660
 RemoveOnStop=yes

src/systemd/cockpit-wsinstance-socket-user.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=Dynamic user for /run/cockpit/wsinstance/ sockets
+BindsTo=cockpit.service
+
+[Service]
+DynamicUser=yes
+User=cockpit-wsinstance-socket
+Group=cockpit-wsinstance-socket
+Type=oneshot
+ExecStart=/bin/true
+RemainAfterExit=yes

src/systemd/cockpit.service.in

@@ -4,8 +4,8 @@ Documentation=man:cockpit-ws(8)
 Requires=cockpit.socket
 Requires=cockpit-wsinstance-http.socket cockpit-wsinstance-https-factory.socket
 # ensure our DynamicUser exists
-Requires=cockpit-ws-user.service
-After=cockpit-ws-user.service
+Requires=cockpit-ws-user.service cockpit-wsinstance-socket-user.service
+After=cockpit-ws-user.service cockpit-wsinstance-socket-user.service
 # we need to start after the sockets so that we can instantly forward incoming requests
 After=cockpit-wsinstance-http.socket cockpit-wsinstance-https-factory.socket
 
@@ -17,6 +17,7 @@ ExecStartPre=+@libexecdir@/cockpit-certificate-ensure --for-cockpit-tls
 ExecStart=@libexecdir@/cockpit-tls
 User=cockpit-ws
 Group=cockpit-ws
+SupplementaryGroups=cockpit-wsinstance-socket
 NoNewPrivileges=true
 ProtectSystem=strict
 ProtectHome=true

src/tls/README.md

@@ -73,8 +73,8 @@ use of systemd features.
      reads the fingerprint from stdin, and asks systemd to start a new
      [cockpit-wsinstance-https@fingerprint.socket](../src/ws/cockpit-wsinstance-https@.socket.in)
      and .service pair.
- * Each instance runs in its own systemd cgroup, as another unprivileged system
-   user `cockpit-wsinstance`.
+ * Each instance runs in its own systemd cgroup, as another unprivileged
+   dynamic system user `cockpit-wsinstance-socket`.
  * cockpit-tls exports the client certificates to `/run/cockpit/tls/<fingerprint>`
    while there is at least one open connection with that certificate, i. e. as
    long as there is an active Cockpit session.

test/verify/check-connection

@@ -332,7 +332,7 @@ class TestConnection(testlib.MachineCase):
         # number of https instances is bounded (DoS prevention)
         # with MaxTasks=200 und 2 threads per ws instance we should have a
         # rough limit of 100 instances, so at some point curl should start failing
-        m.execute("runuser -u cockpit-ws -- sh -ec 'RC=1; for i in `seq 120`; do "
+        m.execute("runuser -u cockpit-wsinstance-socket -- sh -ec 'RC=1; for i in `seq 120`; do "
                   "  echo -n $i | nc %s -U /run/cockpit/wsinstance/https-factory.sock;"
                   "  curl --silent --head --max-time 5 --unix-socket /run/cockpit/wsinstance/https@$i.sock http://dummy > /dev/null || RC=0; "
                   "done; exit $RC'" % n_opt)

tools/cockpit.spec

@@ -387,6 +387,7 @@ authentication via sssd/FreeIPA.
 %{_unitdir}/cockpit-wsinstance-https-factory@.service
 %{_unitdir}/cockpit-wsinstance-https@.socket
 %{_unitdir}/cockpit-wsinstance-https@.service
+%{_unitdir}/cockpit-wsinstance-socket-user.service
 %{_unitdir}/system-cockpithttps.slice
 %{_prefix}/%{__lib}/tmpfiles.d/cockpit-ws.conf
 %{_sysusersdir}/cockpit-wsinstance.conf

tools/debian/cockpit-ws.install

@@ -13,6 +13,7 @@ ${env:deb_systemdsystemunitdir}/cockpit-wsinstance-https-factory@.service
 ${env:deb_systemdsystemunitdir}/cockpit-wsinstance-https-factory.socket
 ${env:deb_systemdsystemunitdir}/cockpit-wsinstance-https@.service
 ${env:deb_systemdsystemunitdir}/cockpit-wsinstance-https@.socket
+${env:deb_systemdsystemunitdir}/cockpit-wsinstance-socket-user.service
 ${env:deb_systemdsystemunitdir}/system-cockpithttps.slice
 ${env:deb_pamlibdir}/security/pam_ssh_add.so
 ${env:deb_pamlibdir}/security/pam_cockpit_cert.so