cockpit-session: stop installing setuid root

systemd spawns this for us now, so we don't need the setuid bit anymore. Clean up the statoverride in the Debian packaging on upgrades.
cockpit-project · Nov 21, 2024 · 79ac8b9 · 79ac8b9
1 parent 7ba5a46
commit 79ac8b9
Show file tree

Hide file tree

Showing 5 changed files with 6 additions and 12 deletions.
diff --git a/src/session/Makefile-session.am b/src/session/Makefile-session.am
@@ -20,8 +20,3 @@ cockpit_session_SOURCES = \
 	src/session/session-utils.h \
 	src/session/session.c \
 	$(NULL)
-
-# set up cockpit-session to be setuid root, but only runnable by cockpit-session
-install-exec-hook::
-	chown -f root:cockpit-wsinstance $(DESTDIR)$(libexecdir)/cockpit-session || true
-	chmod -f 4750 $(DESTDIR)$(libexecdir)/cockpit-session || true
diff --git a/tools/arch/PKGBUILD b/tools/arch/PKGBUILD
@@ -60,8 +60,6 @@ package_cockpit() {
   rm -rf "$pkgdir"/usr/{src,lib/firewalld}
   install -Dm644 "$srcdir"/cockpit.pam "$pkgdir"/etc/pam.d/cockpit
 
-  echo "z /usr/lib/cockpit/cockpit-session - - cockpit-wsinstance -" >> "$pkgdir"/usr/lib/tmpfiles.d/cockpit-ws.conf
-
   # remove unused plugins
   rm -rf "$pkgdir"/usr/share/cockpit/{selinux,playground,sosreport} \
          "$pkgdir"/usr/share/metainfo/org.cockpit_project.cockpit_{selinux,sosreport}.metainfo.xml

diff --git a/tools/cockpit.spec b/tools/cockpit.spec
@@ -399,7 +399,7 @@ authentication via sssd/FreeIPA.
 %{_libexecdir}/cockpit-desktop
 %{_libexecdir}/cockpit-certificate-ensure
 %{_libexecdir}/cockpit-certificate-helper
-%attr(4750, root, cockpit-wsinstance) %{_libexecdir}/cockpit-session
+%{_libexecdir}/cockpit-session
 %{_datadir}/cockpit/branding
 %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
 %{_mandir}/man8/%{name}_session_selinux.8cockpit.*

diff --git a/tools/debian/cockpit-ws.postinst b/tools/debian/cockpit-ws.postinst
@@ -3,8 +3,11 @@ set -e
 
 #DEBHELPER#
 
-if ! dpkg-statoverride --list /usr/lib/cockpit/cockpit-session >/dev/null; then
-    dpkg-statoverride --update --add root cockpit-wsinstance 4750 /usr/lib/cockpit/cockpit-session
+# remove dpkg-statoverride on upgrade
+if dpkg-statoverride --list /usr/lib/cockpit/cockpit-session >/dev/null; then
+    dpkg-statoverride --remove /usr/lib/cockpit/cockpit-session
+    chmod 755 /usr/lib/cockpit/cockpit-session
+    chgrp root /usr/lib/cockpit/cockpit-session
 fi
 
 # restart cockpit.service on package upgrades, if it's already running

diff --git a/tools/debian/cockpit-ws.postrm b/tools/debian/cockpit-ws.postrm
@@ -8,6 +8,4 @@ if [ "$1" = purge ]; then
     [ -L /etc/motd.d/cockpit ] && rm /etc/motd.d/cockpit || true
     [ -L /etc/issue.d/cockpit.issue ] && rm /etc/issue.d/cockpit.issue || true
     rm -f /etc/cockpit/disallowed-users
-
-    dpkg-statoverride --remove /usr/lib/cockpit/cockpit-session
 fi