tools: Use DynamicUser for cockpit.service

Since commit 644116a, the webserver certificates don't have to
be owned by the cockpit-ws user/group any more. This allows us to use
`DynamicUser` for cockpit.service, which eliminates the persistent
`cockpit-ws` system user.

The ordering matters a lot here to avoid race conditions: The wsinstance
socket units need to start before cockpit.service (so the the first
incoming request through cockpit.socket can get forwarded to an
instance), but after the dynamic user got created. So we can't have
cockpit.service create that dynamic user by itself. Instead, create a
separate `cockpit-ws-user.service` helper unit that orders itself in
between. Thanks to Allison Karlitskaya for the idea!

Note that we can't yet eliminate `cockpit-wsinstance` as that's the
owner of our `cockpit-session` suid root binary.

src/systemd/Makefile.am

@@ -13,6 +13,7 @@ nodist_systemdunit_DATA = \
 
 dist_systemdunit_DATA = \
 	src/systemd/cockpit-session.socket \
+	src/systemd/cockpit-ws-user.service \
 	src/systemd/system-cockpithttps.slice \
 	src/systemd/cockpit-wsinstance-http.socket \
 	src/systemd/cockpit-wsinstance-https-factory.socket \

src/systemd/cockpit-ws-user.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Dynamic user for cockpit-ws
+Documentation=man:cockpit-ws(8)
+BindsTo=cockpit.service
+
+[Service]
+DynamicUser=yes
+User=cockpit-ws
+Group=cockpit-ws
+Type=oneshot
+ExecStart=/bin/true
+RemainAfterExit=yes

src/systemd/cockpit-wsinstance-http.socket

@@ -2,6 +2,9 @@
 Description=Socket for Cockpit Web Service http instance
 Documentation=man:cockpit-ws(8)
 BindsTo=cockpit.service
+# ensure our DynamicUser exists
+Requires=cockpit-ws-user.service
+After=cockpit-ws-user.service
 
 [Socket]
 ListenStream=/run/cockpit/wsinstance/http.sock

src/systemd/cockpit-wsinstance-https-factory.socket

@@ -2,6 +2,9 @@
 Description=Socket for Cockpit Web Service https instance factory
 Documentation=man:cockpit-ws(8)
 BindsTo=cockpit.service
+# ensure our DynamicUser exists
+Requires=cockpit-ws-user.service
+After=cockpit-ws-user.service
 
 [Socket]
 ListenStream=/run/cockpit/wsinstance/https-factory.sock

src/systemd/cockpit-wsinstance-https@.socket

@@ -6,6 +6,9 @@ BindsTo=cockpit.service
 # this also effectively prevents a DoS by starting arbitrarily many sockets, as
 # the services are resource-limited by system-cockpithttps.slice
 BindsTo=cockpit-wsinstance-https@%i.service
+# ensure our DynamicUser exists
+Requires=cockpit-ws-user.service
+After=cockpit-ws-user.service
 
 [Socket]
 ListenStream=/run/cockpit/wsinstance/https@%i.sock

src/systemd/cockpit.service.in

@@ -3,6 +3,10 @@ Description=Cockpit Web Service
 Documentation=man:cockpit-ws(8)
 Requires=cockpit.socket
 Requires=cockpit-wsinstance-http.socket cockpit-wsinstance-https-factory.socket
+# ensure our DynamicUser exists
+Requires=cockpit-ws-user.service
+After=cockpit-ws-user.service
+# we need to start after the sockets so that we can instantly forward incoming requests
 After=cockpit-wsinstance-http.socket cockpit-wsinstance-https-factory.socket
 
 [Service]

tools/arch/PKGBUILD

@@ -16,11 +16,9 @@ makedepends=(krb5 libssh accountsservice json-glib glib-networking
              python-build python-installer python-wheel)
 source=("cockpit-${pkgver}.tar.xz"
         "cockpit.pam"
-        "cockpit-ws.sysuser.conf"
         "cockpit-wsinstance.sysuser.conf")
 sha256sums=('SKIP'
             '079bb6751214e642673f9e1212df2a17fed1a3cc6cfdd6375af2b68ed6ddd340'
-            '1ad9dad75858264778bd94799b60c651f7cc1c7f7fa1c54622174303e639287a'
             '46ee8ecad7bc97ba588ab9471dde76e41c00daf40658902425626c3a1938b438')
 
 prepare() {
@@ -61,7 +59,6 @@ package_cockpit() {
   make DESTDIR="$pkgdir" install
   rm -rf "$pkgdir"/usr/{src,lib/firewalld}
   install -Dm644 "$srcdir"/cockpit.pam "$pkgdir"/etc/pam.d/cockpit
-  install -Dm644 "$srcdir"/cockpit-ws.sysuser.conf "$pkgdir"/usr/lib/sysusers.d/cockpit-ws.conf
   install -Dm644 "$srcdir"/cockpit-wsinstance.sysuser.conf "$pkgdir"/usr/lib/sysusers.d/cockpit-wsinstance.conf
 
   echo "z /usr/lib/cockpit/cockpit-session - - cockpit-wsinstance -" >> "$pkgdir"/usr/lib/tmpfiles.d/cockpit-ws.conf

tools/cockpit.spec

@@ -393,6 +393,7 @@ authentication via sssd/FreeIPA.
 %{_unitdir}/cockpit.service
 %{_unitdir}/cockpit-motd.service
 %{_unitdir}/cockpit.socket
+%{_unitdir}/cockpit-ws-user.service
 %{_unitdir}/cockpit-wsinstance-http.socket
 %{_unitdir}/cockpit-wsinstance-http.service
 %{_unitdir}/cockpit-wsinstance-https-factory.socket
@@ -419,8 +420,6 @@ authentication via sssd/FreeIPA.
 %ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
 
 %pre ws
-getent group cockpit-ws >/dev/null || groupadd -r cockpit-ws
-getent passwd cockpit-ws >/dev/null || useradd -r -g cockpit-ws -d /nonexisting -s /sbin/nologin -c "User for cockpit web service" cockpit-ws
 getent group cockpit-wsinstance >/dev/null || groupadd -r cockpit-wsinstance
 getent passwd cockpit-wsinstance >/dev/null || useradd -r -g cockpit-wsinstance -d /nonexisting -s /sbin/nologin -c "User for cockpit-ws instances" cockpit-wsinstance
 

tools/debian/cockpit-ws.install

@@ -4,6 +4,7 @@ tools/apparmor.d/cockpit-desktop etc/apparmor.d/
 ${env:deb_systemdsystemunitdir}/cockpit.service
 ${env:deb_systemdsystemunitdir}/cockpit-motd.service
 ${env:deb_systemdsystemunitdir}/cockpit.socket
+${env:deb_systemdsystemunitdir}/cockpit-ws-user.service
 ${env:deb_systemdsystemunitdir}/cockpit-wsinstance-http.service
 ${env:deb_systemdsystemunitdir}/cockpit-wsinstance-http.socket
 ${env:deb_systemdsystemunitdir}/[email protected]

tools/debian/cockpit-ws.postinst

@@ -1,7 +1,6 @@
 #!/bin/sh
 set -e
 
-adduser --system --group --home /nonexistent --no-create-home --quiet cockpit-ws
 adduser --system --group --home /nonexistent --no-create-home --quiet cockpit-wsinstance
 
 # change group of cockpit-session on upgrades (changed in version 203)