File 0007-Remove-DynamicUser-setting-as-these-conflict-with-re.patch of Package cockpit
From 3f0d624c5af89fc9ebe81d92351d8ac8e7583997 Mon Sep 17 00:00:00 2001
From: Alice Brooks <alice.brooks@suse.com>
Date: Mon, 28 Apr 2025 12:40:31 +0530
Subject: [PATCH] Remove DynamicUser setting as these conflict with real users
Real users are having to be created due to Leap15.6's nsswitch not
containing systemd, so dynamic users cannot be resolved inter
service due to this we must manually create the users postinstall
Co-authored-by: Luna D Dragon <luna.dragon@suse.com>
---
src/systemd/cockpit-wsinstance-http.service.in | 4 +++-
src/systemd/cockpit-wsinstance-https@.service.in | 4 +++-
src/systemd/cockpit.service.in | 4 +++-
3 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/src/systemd/cockpit-wsinstance-http.service.in b/src/systemd/cockpit-wsinstance-http.service.in
index 539b90345..dfc9f3b1b 100644
--- a/src/systemd/cockpit-wsinstance-http.service.in
+++ b/src/systemd/cockpit-wsinstance-http.service.in
@@ -7,7 +7,9 @@ After=cockpit-session.socket
[Service]
ExecStart=@libexecdir@/cockpit-ws --no-tls --port=0
-DynamicUser=yes
+DynamicUser=no
+PrivateTmp=yes
+ProtectHome=yes
Group=cockpit-session-socket
PrivateDevices=yes
diff --git a/src/systemd/cockpit-wsinstance-https@.service.in b/src/systemd/cockpit-wsinstance-https@.service.in
index f66c9f874..3c07bb9a7 100644
--- a/src/systemd/cockpit-wsinstance-https@.service.in
+++ b/src/systemd/cockpit-wsinstance-https@.service.in
@@ -8,7 +8,9 @@ After=cockpit-session.socket
[Service]
Slice=system-cockpithttps.slice
ExecStart=@libexecdir@/cockpit-ws --for-tls-proxy --port=0
-DynamicUser=yes
+DynamicUser=no
+PrivateTmp=yes
+ProtectHome=yes
Group=cockpit-session-socket
PrivateDevices=yes
diff --git a/src/systemd/cockpit.service.in b/src/systemd/cockpit.service.in
index 97adda221..4b496fd3a 100644
--- a/src/systemd/cockpit.service.in
+++ b/src/systemd/cockpit.service.in
@@ -10,7 +10,9 @@ After=cockpit-wsinstance-http.socket cockpit-wsinstance-https-factory.socket
RuntimeDirectory=cockpit/tls
ExecStartPre=+@libexecdir@/cockpit-certificate-ensure --for-cockpit-tls
ExecStart=@libexecdir@/cockpit-tls
-DynamicUser=yes
+DynamicUser=no
+PrivateTmp=yes
+ProtectHome=yes
# otherwise systemd uses 'cockpit' even if it exists as a normal user account
User=cockpit-systemd-service
Group=cockpit-wsinstance-socket
--
2.49.0