diff --git a/.cockpit-appstream.metadata b/.cockpit-appstream.metadata index 149f1f4..437b7f3 100644 --- a/.cockpit-appstream.metadata +++ b/.cockpit-appstream.metadata @@ -1,2 +1,2 @@ -e10e1c210ad5ed4b7e7a43231791d7a14092dd66 SOURCES/cockpit-279.tar.xz -04106c5271e0f1edefefcb05fe3a585971283947 SOURCES/cockpit-machines-278.1.tar.xz +7faf98fd77271fc75fe8fb3ddc8a91a4eaea552f SOURCES/cockpit-282.1.tar.xz +be25a35fd8546bb9ad1daacc864e6a29f6da4c3d SOURCES/cockpit-machines-280.tar.xz diff --git a/.gitignore b/.gitignore index 46cb3a0..6aca24d 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/cockpit-279.tar.xz -SOURCES/cockpit-machines-278.1.tar.xz +SOURCES/cockpit-282.1.tar.xz +SOURCES/cockpit-machines-280.tar.xz diff --git a/SPECS/cockpit-appstream.spec b/SPECS/cockpit-appstream.spec index 73ad7bb..dc84772 100644 --- a/SPECS/cockpit-appstream.spec +++ b/SPECS/cockpit-appstream.spec @@ -28,7 +28,7 @@ # we maintain the basic/optional split, then it can be replaced with just %{version}. %define required_base 266 -%define machines_version 278.1 +%define machines_version 280 # we generally want CentOS packages to be like RHEL; special cases need to check %{centos} explicitly %if 0%{?centos} @@ -51,7 +51,7 @@ Summary: Web Console for Linux servers License: LGPLv2+ URL: https://cockpit-project.org/ -Version: 279 +Version: 282.1 Release: 1%{?dist} Source0: https://github.com/cockpit-project/cockpit/releases/download/%{version}/cockpit-%{version}.tar.xz Source1: https://github.com/cockpit-project/cockpit-machines/releases/download/%{machines_version}/cockpit-machines-%{machines_version}.tar.xz @@ -77,6 +77,13 @@ Source1: https://github.com/cockpit-project/cockpit-machines/releases/dow %define build_optional 1 %endif +# Allow root login in Cockpit on RHEL 8 and lower as it also allows password login over SSH. +%if 0%{?rhel} && 0%{?rhel} <= 8 +%define disallow_root 0 +%else +%define disallow_root 1 +%endif + # Ship custom SELinux policy (but not for cockpit-appstream) %if "%{name}" == "cockpit" %define selinuxtype targeted @@ -328,8 +335,6 @@ troubleshooting, interactive command-line sessions, and more. Summary: Cockpit bridge server-side component Requires: glib-networking Provides: cockpit-ssh = %{version}-%{release} -# PR #10430 dropped workaround for ws' inability to understand x-host-key challenge -Conflicts: cockpit-ws < 181.x # 233 dropped jquery.js, pages started to bundle it (commit 049e8b8dce) Conflicts: cockpit-dashboard < 233 Conflicts: cockpit-networkmanager < 233 @@ -435,6 +440,7 @@ authentication via sssd/FreeIPA. # created in %post, so that users can rm the files %ghost %{_sysconfdir}/issue.d/cockpit.issue %ghost %{_sysconfdir}/motd.d/cockpit +%ghost %attr(0644, root, root) %{_sysconfdir}/cockpit/disallowed-users %dir %{_datadir}/cockpit/motd %{_datadir}/cockpit/motd/update-motd %{_datadir}/cockpit/motd/inactive.motd @@ -483,10 +489,16 @@ if [ -x %{_sbindir}/selinuxenabled ]; then fi # set up dynamic motd/issue symlinks on first-time install; don't bring them back on upgrades if admin removed them +# disable root login on first-time install; so existing installations aren't changed if [ "$1" = 1 ]; then mkdir -p /etc/motd.d /etc/issue.d ln -s ../../run/cockpit/motd /etc/motd.d/cockpit ln -s ../../run/cockpit/motd /etc/issue.d/cockpit.issue + printf "# List of users which are not allowed to login to Cockpit\n" > /etc/cockpit/disallowed-users +%if 0%{?disallow_root} + printf "root\n" >> /etc/cockpit/disallowed-users +%endif + chmod 644 /etc/cockpit/disallowed-users fi %tmpfiles_create cockpit-tempfiles.conf @@ -619,8 +631,8 @@ The Cockpit component for managing storage. This package uses udisks. %package -n cockpit-tests Summary: Tests for Cockpit -Requires: cockpit-bridge >= 138 -Requires: cockpit-system >= 138 +Requires: cockpit-bridge >= %{required_base} +Requires: cockpit-system >= %{required_base} Requires: openssh-clients Provides: cockpit-test-assets = %{version}-%{release}