File 0007-Remove-DynamicUser-setting-as-these-conflict-with-re.patch of Package cockpit

From 3f0d624c5af89fc9ebe81d92351d8ac8e7583997 Mon Sep 17 00:00:00 2001
From: Alice Brooks <alice.brooks@suse.com>
Date: Mon, 28 Apr 2025 12:40:31 +0530
Subject: [PATCH] Remove DynamicUser setting as these conflict with real users

Real users are having to be created due to Leap15.6's nsswitch not
containing systemd, so dynamic users cannot be resolved inter
service due to this we must manually create the users postinstall

Co-authored-by: Luna D Dragon <luna.dragon@suse.com>
---
 src/systemd/cockpit-wsinstance-http.service.in   | 4 +++-
 src/systemd/cockpit-wsinstance-https@.service.in | 4 +++-
 src/systemd/cockpit.service.in                   | 4 +++-
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/systemd/cockpit-wsinstance-http.service.in b/src/systemd/cockpit-wsinstance-http.service.in
index 539b90345..dfc9f3b1b 100644
--- a/src/systemd/cockpit-wsinstance-http.service.in
+++ b/src/systemd/cockpit-wsinstance-http.service.in
@@ -7,7 +7,9 @@ After=cockpit-session.socket
 
 [Service]
 ExecStart=@libexecdir@/cockpit-ws --no-tls --port=0
-DynamicUser=yes
+DynamicUser=no
+PrivateTmp=yes
+ProtectHome=yes
 Group=cockpit-session-socket
 
 PrivateDevices=yes
diff --git a/src/systemd/cockpit-wsinstance-https@.service.in b/src/systemd/cockpit-wsinstance-https@.service.in
index f66c9f874..3c07bb9a7 100644
--- a/src/systemd/cockpit-wsinstance-https@.service.in
+++ b/src/systemd/cockpit-wsinstance-https@.service.in
@@ -8,7 +8,9 @@ After=cockpit-session.socket
 [Service]
 Slice=system-cockpithttps.slice
 ExecStart=@libexecdir@/cockpit-ws --for-tls-proxy --port=0
-DynamicUser=yes
+DynamicUser=no
+PrivateTmp=yes
+ProtectHome=yes
 Group=cockpit-session-socket
 
 PrivateDevices=yes
diff --git a/src/systemd/cockpit.service.in b/src/systemd/cockpit.service.in
index 97adda221..4b496fd3a 100644
--- a/src/systemd/cockpit.service.in
+++ b/src/systemd/cockpit.service.in
@@ -10,7 +10,9 @@ After=cockpit-wsinstance-http.socket cockpit-wsinstance-https-factory.socket
 RuntimeDirectory=cockpit/tls
 ExecStartPre=+@libexecdir@/cockpit-certificate-ensure --for-cockpit-tls
 ExecStart=@libexecdir@/cockpit-tls
-DynamicUser=yes
+DynamicUser=no
+PrivateTmp=yes
+ProtectHome=yes
 # otherwise systemd uses 'cockpit' even if it exists as a normal user account
 User=cockpit-systemd-service
 Group=cockpit-wsinstance-socket
-- 
2.49.0

openSUSE Build Service is sponsored by