Use systemd-sysusers to create users & groups

Add a sysusers config file and use it in the RPM spec to create users. Replace the current Arch Linux specific config files. Note that the cockpit-sysusers.conf file is needed for the RPM specfile as a source as the macro can not be expanded using the content from the source archive as it is not extracted during the stage where RPM macro expansion happens. We thus need to keep a copy in the dist-git repo. See: https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/#_dynamic_allocation
travier · May 2, 2024 · c585677 · c585677
1 parent 77fe203
commit c585677
Show file tree

Hide file tree

Showing 9 changed files with 18 additions and 9 deletions.
diff --git a/packit.yaml b/packit.yaml
@@ -4,7 +4,7 @@ actions:
   post-upstream-clone:
     # build patched spec
     - tools/node-modules make_package_lock_json
-    - cp tools/cockpit.spec .
+    - cp tools/cockpit.spec tools/cockpit-sysusers.conf .
     # packit will compute and set the version by itself
     - tools/fix-spec ./cockpit.spec 0
 

diff --git a/src/systemd/Makefile.am b/src/systemd/Makefile.am
@@ -33,6 +33,9 @@ install-exec-hook::
 tmpfilesconfdir = $(prefix)/lib/tmpfiles.d
 nodist_tmpfilesconf_DATA = src/systemd/tmpfiles.d/cockpit-ws.conf
 
+sysusersconfdir = $(prefix)/lib/sysusers.d
+nodist_sysusersconf_DATA = src/systemd/sysusers.d/cockpit-ws.conf
+
 # we can't generate these with config.status because,
 # eg. it does "@libexecdir@" -> "${exec_prefix}/libexec"
 src/systemd/%: src/systemd/%.in
@@ -46,6 +49,7 @@ src/systemd/%: src/systemd/%.in
 systemdgenerated = \
 	$(nodist_systemdunit_DATA) \
 	$(nodist_tmpfilesconf_DATA) \
+	$(nodist_sysusersconfdir_DATA) \
 	$(NULL)
 systemdgenerated_in = $(patsubst %,%.in,$(systemdgenerated))
 

diff --git a/src/systemd/sysusers.d/cockpit-ws.conf b/src/systemd/sysusers.d/cockpit-ws.conf
@@ -0,0 +1,3 @@
+# Keep this copy in sync with tools/cockpit-sysusers.conf
+u cockpit-ws - "User for cockpit web service" -
+u cockpit-wsinstance - "User for cockpit-ws instances" -
diff --git a/tools/arch/PKGBUILD b/tools/arch/PKGBUILD
@@ -61,8 +61,6 @@ package_cockpit() {
   make DESTDIR="$pkgdir" install
   rm -rf "$pkgdir"/usr/{src,lib/firewalld}
   install -Dm644 "$srcdir"/cockpit.pam "$pkgdir"/etc/pam.d/cockpit
-  install -Dm644 "$srcdir"/cockpit-ws.sysuser.conf "$pkgdir"/usr/lib/sysusers.d/cockpit-ws.conf
-  install -Dm644 "$srcdir"/cockpit-wsinstance.sysuser.conf "$pkgdir"/usr/lib/sysusers.d/cockpit-wsinstance.conf
 
   echo "z /usr/lib/cockpit/cockpit-session - - cockpit-wsinstance -" >> "$pkgdir"/usr/lib/tmpfiles.d/cockpit-ws.conf
 

diff --git a/tools/arch/cockpit-ws.sysuser.conf b/tools/arch/cockpit-ws.sysuser.conf
diff --git a/tools/arch/cockpit-wsinstance.sysuser.conf b/tools/arch/cockpit-wsinstance.sysuser.conf
diff --git a/tools/cockpit-sysusers.conf b/tools/cockpit-sysusers.conf
@@ -0,0 +1,3 @@
+# Keep this copy in sync with src/systemd/cockpit-sysusers.conf
+u cockpit-ws - "User for cockpit web service" -
+u cockpit-wsinstance - "User for cockpit-ws instances" -
diff --git a/tools/cockpit.spec b/tools/cockpit.spec
@@ -52,6 +52,7 @@ URL:            https://cockpit-project.org/
 Version:        0
 Release:        1%{?dist}
 Source0:        https://github.com/cockpit-project/cockpit/releases/download/%{version}/cockpit-%{version}.tar.xz
+Source1:        cockpit-sysusers.conf
 
 # pcp stopped building on ix86
 %define build_pcp 1
@@ -114,6 +115,9 @@ BuildRequires: xmlto
 BuildRequires:  selinux-policy
 BuildRequires:  selinux-policy-devel
 
+BuildRequires:  systemd-rpm-macros
+%{?sysusers_requires_compat}
+
 # This is the "cockpit" metapackage. It should only
 # Require, Suggest or Recommend other cockpit-xxx subpackages
 
@@ -401,6 +405,7 @@ authentication via sssd/FreeIPA.
 %{_unitdir}/cockpit-wsinstance-https@.service
 %{_unitdir}/system-cockpithttps.slice
 %{_prefix}/%{__lib}/tmpfiles.d/cockpit-ws.conf
+%{_sysusersdir}/cockpit-ws.conf
 %{pamdir}/pam_ssh_add.so
 %{pamdir}/pam_cockpit_cert.so
 %{_libexecdir}/cockpit-ws
@@ -419,10 +424,7 @@ authentication via sssd/FreeIPA.
 %ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
 
 %pre ws
-getent group cockpit-ws >/dev/null || groupadd -r cockpit-ws
-getent passwd cockpit-ws >/dev/null || useradd -r -g cockpit-ws -d /nonexisting -s /sbin/nologin -c "User for cockpit web service" cockpit-ws
-getent group cockpit-wsinstance >/dev/null || groupadd -r cockpit-wsinstance
-getent passwd cockpit-wsinstance >/dev/null || useradd -r -g cockpit-wsinstance -d /nonexisting -s /sbin/nologin -c "User for cockpit-ws instances" cockpit-wsinstance
+%sysusers_create_compat %{SOURCE1}
 
 if %{_sbindir}/selinuxenabled 2>/dev/null; then
     %selinux_relabel_pre -s %{selinuxtype}

diff --git a/tools/debian/cockpit-ws.install b/tools/debian/cockpit-ws.install
@@ -14,6 +14,7 @@ ${env:deb_systemdsystemunitdir}/system-cockpithttps.slice
 ${env:deb_pamlibdir}/security/pam_ssh_add.so
 ${env:deb_pamlibdir}/security/pam_cockpit_cert.so
 usr/lib/tmpfiles.d/cockpit-ws.conf
+usr/lib/sysusers.d/cockpit-ws.conf
 usr/lib/cockpit/cockpit-session
 usr/lib/cockpit/cockpit-ws
 usr/lib/cockpit/cockpit-wsinstance-factory