systemd: dynamic group for wsinstance sockets

Similar to the last commit, we create a dynamic group for the sockets in /run/cockpit/wsinstance and add a supplementary group to cockpit-tls.
cockpit-project · Nov 21, 2024 · 953b9a5 · 953b9a5
1 parent 90e3c7f
commit 953b9a5
Show file tree

Hide file tree

Showing 12 changed files with 39 additions and 21 deletions.
diff --git a/src/systemd/Makefile.am b/src/systemd/Makefile.am
@@ -37,6 +37,7 @@ dist_systemdunit_DATA = \
 	src/systemd/cockpit-wsinstance-http.socket \
 	src/systemd/cockpit-wsinstance-https-factory.socket \
 	src/systemd/[email protected] \
+	src/systemd/cockpit-wsinstance-socket-user.service \
 	$(NULL)
 
 # -----------------

diff --git a/src/systemd/cockpit-wsinstance-http.service.in b/src/systemd/cockpit-wsinstance-http.service.in
@@ -7,6 +7,6 @@ After=cockpit-session.socket cockpit-session-socket-user.service
 
 [Service]
 ExecStart=@libexecdir@/cockpit-ws --no-tls --port=0
-User=cockpit-wsinstance
-Group=cockpit-wsinstance
+User=cockpit-wsinstance-socket
+Group=cockpit-wsinstance-socket
 SupplementaryGroups=cockpit-session-socket
diff --git a/src/systemd/cockpit-wsinstance-http.socket b/src/systemd/cockpit-wsinstance-http.socket
@@ -3,11 +3,12 @@ Description=Socket for Cockpit Web Service http instance
 Documentation=man:cockpit-ws(8)
 BindsTo=cockpit.service
 # ensure our DynamicUser exists
-Requires=cockpit-ws-user.service
-After=cockpit-ws-user.service
+Requires=cockpit-ws-user.service cockpit-wsinstance-socket-user.service
+After=cockpit-ws-user.service cockpit-wsinstance-socket-user.service
 
 [Socket]
 ListenStream=/run/cockpit/wsinstance/http.sock
-SocketUser=cockpit-ws
-SocketMode=0600
+SocketUser=root
+SocketGroup=cockpit-wsinstance-socket
+SocketMode=0660
 RemoveOnStop=yes
diff --git a/src/systemd/cockpit-wsinstance-https-factory.socket b/src/systemd/cockpit-wsinstance-https-factory.socket
@@ -3,12 +3,13 @@ Description=Socket for Cockpit Web Service https instance factory
 Documentation=man:cockpit-ws(8)
 BindsTo=cockpit.service
 # ensure our DynamicUser exists
-Requires=cockpit-ws-user.service
-After=cockpit-ws-user.service
+Requires=cockpit-ws-user.service cockpit-wsinstance-socket-user.service
+After=cockpit-ws-user.service cockpit-wsinstance-socket-user.service
 
 [Socket]
 ListenStream=/run/cockpit/wsinstance/https-factory.sock
 Accept=yes
-SocketUser=cockpit-ws
-SocketMode=0600
+SocketUser=root
+SocketGroup=cockpit-wsinstance-socket
+SocketMode=0660
 RemoveOnStop=yes
diff --git a/src/systemd/[email protected] b/src/systemd/[email protected]
@@ -8,6 +8,6 @@ After=cockpit-session.socket cockpit-session-socket-user.service
 [Service]
 Slice=system-cockpithttps.slice
 ExecStart=@libexecdir@/cockpit-ws --for-tls-proxy --port=0
-User=cockpit-wsinstance
-Group=cockpit-wsinstance
+User=cockpit-wsinstance-socket
+Group=cockpit-wsinstance-socket
 SupplementaryGroups=cockpit-session-socket
diff --git a/src/systemd/[email protected] b/src/systemd/[email protected]
@@ -7,11 +7,12 @@ BindsTo=cockpit.service
 # the services are resource-limited by system-cockpithttps.slice
 BindsTo=cockpit-wsinstance-https@%i.service
 # ensure our DynamicUser exists
-Requires=cockpit-ws-user.service
-After=cockpit-ws-user.service
+Requires=cockpit-ws-user.service cockpit-wsinstance-socket-user.service
+After=cockpit-ws-user.service cockpit-wsinstance-socket-user.service
 
 [Socket]
 ListenStream=/run/cockpit/wsinstance/https@%i.sock
-SocketUser=cockpit-ws
-SocketMode=0600
+SocketUser=root
+SocketGroup=cockpit-wsinstance-socket
+SocketMode=0660
 RemoveOnStop=yes
diff --git a/src/systemd/cockpit-wsinstance-socket-user.service b/src/systemd/cockpit-wsinstance-socket-user.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Dynamic user for /run/cockpit/wsinstance/ sockets
+BindsTo=cockpit.service
+
+[Service]
+DynamicUser=yes
+User=cockpit-wsinstance-socket
+Group=cockpit-wsinstance-socket
+Type=oneshot
+ExecStart=/bin/true
+RemainAfterExit=yes
diff --git a/src/systemd/cockpit.service.in b/src/systemd/cockpit.service.in
@@ -4,8 +4,8 @@ Documentation=man:cockpit-ws(8)
 Requires=cockpit.socket
 Requires=cockpit-wsinstance-http.socket cockpit-wsinstance-https-factory.socket
 # ensure our DynamicUser exists
-Requires=cockpit-ws-user.service
-After=cockpit-ws-user.service
+Requires=cockpit-ws-user.service cockpit-wsinstance-socket-user.service
+After=cockpit-ws-user.service cockpit-wsinstance-socket-user.service
 # we need to start after the sockets so that we can instantly forward incoming requests
 After=cockpit-wsinstance-http.socket cockpit-wsinstance-https-factory.socket
 
@@ -17,6 +17,7 @@ ExecStartPre=+@libexecdir@/cockpit-certificate-ensure --for-cockpit-tls
 ExecStart=@libexecdir@/cockpit-tls
 User=cockpit-ws
 Group=cockpit-ws
+SupplementaryGroups=cockpit-wsinstance-socket
 NoNewPrivileges=true
 ProtectSystem=strict
 ProtectHome=true

diff --git a/src/tls/README.md b/src/tls/README.md
@@ -73,8 +73,8 @@ use of systemd features.
      reads the fingerprint from stdin, and asks systemd to start a new
      [[email protected]](../src/ws/[email protected])
      and .service pair.
- * Each instance runs in its own systemd cgroup, as another unprivileged system
-   user `cockpit-wsinstance`.
+ * Each instance runs in its own systemd cgroup, as another unprivileged
+   dynamic system user `cockpit-wsinstance-socket`.
  * cockpit-tls exports the client certificates to `/run/cockpit/tls/<fingerprint>`
    while there is at least one open connection with that certificate, i. e. as
    long as there is an active Cockpit session.

diff --git a/test/verify/check-connection b/test/verify/check-connection
@@ -332,7 +332,7 @@ class TestConnection(testlib.MachineCase):
         # number of https instances is bounded (DoS prevention)
         # with MaxTasks=200 und 2 threads per ws instance we should have a
         # rough limit of 100 instances, so at some point curl should start failing
-        m.execute("runuser -u cockpit-ws -- sh -ec 'RC=1; for i in `seq 120`; do "
+        m.execute("runuser -u cockpit-wsinstance-socket -- sh -ec 'RC=1; for i in `seq 120`; do "
                   "  echo -n $i | nc %s -U /run/cockpit/wsinstance/https-factory.sock;"
                   "  curl --silent --head --max-time 5 --unix-socket /run/cockpit/wsinstance/https@$i.sock http://dummy > /dev/null || RC=0; "
                   "done; exit $RC'" % n_opt)

diff --git a/tools/cockpit.spec b/tools/cockpit.spec
@@ -387,6 +387,7 @@ authentication via sssd/FreeIPA.
 %{_unitdir}/[email protected]
 %{_unitdir}/[email protected]
 %{_unitdir}/[email protected]
+%{_unitdir}/cockpit-wsinstance-socket-user.service
 %{_unitdir}/system-cockpithttps.slice
 %{_prefix}/%{__lib}/tmpfiles.d/cockpit-ws.conf
 %{_sysusersdir}/cockpit-wsinstance.conf

diff --git a/tools/debian/cockpit-ws.install b/tools/debian/cockpit-ws.install
@@ -13,6 +13,7 @@ ${env:deb_systemdsystemunitdir}/[email protected]
 ${env:deb_systemdsystemunitdir}/cockpit-wsinstance-https-factory.socket
 ${env:deb_systemdsystemunitdir}/[email protected]
 ${env:deb_systemdsystemunitdir}/[email protected]
+${env:deb_systemdsystemunitdir}/cockpit-wsinstance-socket-user.service
 ${env:deb_systemdsystemunitdir}/system-cockpithttps.slice
 ${env:deb_pamlibdir}/security/pam_ssh_add.so
 ${env:deb_pamlibdir}/security/pam_cockpit_cert.so