cockpit-session: stop installing setuid root

systemd spawns this for us now, so we don't need the setuid bit anymore.
cockpit-project · Jan 11, 2022 · 7ebf9e6 · 7ebf9e6
1 parent 4768a60
commit 7ebf9e6
Show file tree

Hide file tree

Showing 3 changed files with 1 addition and 17 deletions.
diff --git a/src/session/Makefile-session.am b/src/session/Makefile-session.am
@@ -13,9 +13,3 @@ cockpit_session_LDADD = \
 	libcockpit-common-nodeps.a \
 	$(COCKPIT_SESSION_LIBS) \
 	$(NULL)
-
-# If running cockpit-ws as a non-standard user, we also set up
-# cockpit-session to be setuid root, but only runnable by cockpit-session
-install-exec-hook::
-	chown -f root:$(COCKPIT_WSINSTANCE_GROUP) $(DESTDIR)$(libexecdir)/cockpit-session || true
-	test "$(COCKPIT_USER)" != "root" && chmod -f 4750 $(DESTDIR)$(libexecdir)/cockpit-session || true
diff --git a/tools/cockpit.spec b/tools/cockpit.spec
@@ -503,7 +503,7 @@ authentication via sssd/FreeIPA.
 %{_libexecdir}/cockpit-desktop
 %{_libexecdir}/cockpit-certificate-ensure
 %{_libexecdir}/cockpit-certificate-helper
-%attr(4750, root, cockpit-wsinstance) %{_libexecdir}/cockpit-session
+%{_libexecdir}/cockpit-session
 %{_datadir}/cockpit/branding
 
 %if 0%{?with_selinux}

diff --git a/tools/debian/cockpit-ws.postinst b/tools/debian/cockpit-ws.postinst
@@ -4,16 +4,6 @@ set -e
 adduser --system --group --home /nonexistent --no-create-home --quiet cockpit-ws
 adduser --system --group --home /nonexistent --no-create-home --quiet cockpit-wsinstance
 
-# change group of cockpit-session on upgrades (changed in version 203)
-if OUT=$(dpkg-statoverride --list /usr/lib/cockpit/cockpit-session) && [ "$OUT#root cockpit-ws 4750}" != "$OUT" ]; then
-    echo "Adjusting /usr/lib/cockpit/cockpit-session permissions..."
-    dpkg-statoverride --remove /usr/lib/cockpit/cockpit-session
-fi
-
-if ! dpkg-statoverride --list /usr/lib/cockpit/cockpit-session >/dev/null; then
-    dpkg-statoverride --update --add root cockpit-wsinstance 4750 /usr/lib/cockpit/cockpit-session
-fi
-
 #DEBHELPER#
 
 # restart cockpit.service on package upgrades, if it's already running