cockpit: add supplementary group memberships so PAM auth completes

Kabuki94 · claude · Kabuki94 · commit 1a73021b9d5b · 2026-05-10T23:38:51.000-04:00
After mios.git@569b567 added the static cockpit-* users and fixed the
socket SocketUser/SocketGroup overrides, HTTP 200 came back on the
cockpit login page but POST /cockpit/login still returned 401
"Authentication not available". cockpit-tls journal kept saying:

    /run/cockpit/session: couldn't connect: Permission denied

Root cause: the dynamic-user IDs that cockpit's instance units expect
(cockpit-wsinstance-https / cockpit-wsinstance-http /
cockpit-wsinstance-socket / cockpit-ws / cockpit-systemd-service)
were created with NO supplementary group memberships. cockpit-ws
running under cockpit-wsinstance-https tried to connect to
/run/cockpit/session (group cockpit-session-socket, mode 0660) and
got refused because cockpit-wsinstance-https's primary group is its
own 953, not 974/cockpit-session-socket.

Added cross-memberships via `m` directives so every cockpit helper
user has supplementary access to both socket groups:

    m cockpit-ws                cockpit-wsinstance-socket
    m cockpit-systemd-service   cockpit-wsinstance-socket
    m cockpit-systemd-service   cockpit-session-socket
    m cockpit-ws                cockpit-session-socket
    m cockpit-wsinstance-https  cockpit-session-socket
    m cockpit-wsinstance-https  cockpit-wsinstance-socket
    m cockpit-wsinstance-http   cockpit-session-socket
    m cockpit-wsinstance-http   cockpit-wsinstance-socket
    m cockpit-wsinstance-socket cockpit-session-socket

Verified live (operator's installed VM):
    PowerShell from Windows host:
        Invoke-WebRequest -Headers @{'X-Authorize'='password'} \
            -Credential mios:mios https://localhost:9090/cockpit/login
        -&gt; HTTP 200 + Set-Cookie: cockpit=&lt;session-token&gt;...
    journal:
        pam_unix(cockpit:session): session opened for user mios(uid=992)

systemd-sysusers does not retro-apply `m` directives reliably on a
populated /etc/group, so the install path also runs explicit
`usermod -aG` lines (mios-bootstrap-side fix in a sibling commit) to
materialize the memberships on first overlay run.

Co-Authored-By: Claude Opus 4.7 &lt;noreply@anthropic.com&gt;
diff --git a/usr/lib/sysusers.d/50-mios-cockpit.conf b/usr/lib/sysusers.d/50-mios-cockpit.conf
@@ -63,10 +63,33 @@ u cockpit-wsinstance-https 973:cockpit-wsinstance-https "'MiOS' Cockpit wsinstan
 g cockpit-ws 972
 u cockpit-ws 972:cockpit-ws "'MiOS' Cockpit web service primary user" /var/empty /sbin/nologin
 
-# Group memberships -- cockpit-tls (which runs as cockpit-ws) needs to
-# connect to /run/cockpit/wsinstance/https-factory.sock, which is owned
-# by group cockpit-wsinstance-socket. Without this membership cockpit-tls
-# fails every HTTPS request with:
-#     cockpit-tls: connect(https-factory.sock) failed: Permission denied
-# and the browser sees "connection reset by peer" after the TLS handshake.
+# Group memberships -- cockpit's binaries are run by systemd as
+# `cockpit-systemd-service` (set by cockpit.service's User=) and as
+# `cockpit-ws` (set by some helper units). Both need access to the
+# Unix sockets cockpit-ws creates at runtime under /run/cockpit/:
+#
+#   /run/cockpit/session                            group cockpit-session-socket
+#   /run/cockpit/wsinstance/http.sock               group cockpit-wsinstance-socket
+#   /run/cockpit/wsinstance/https-factory.sock      group cockpit-wsinstance-socket
+#
+# Without these supplementary group memberships, cockpit-tls fails with
+#   cockpit-tls: connect(...): Permission denied
+# the browser receives HTTP 401 "Authentication not available", and
+# the login form shows "Authentication failed" even when the operator
+# entered the correct credentials. Operator-flagged 2026-05-10.
 m cockpit-ws cockpit-wsinstance-socket
+m cockpit-systemd-service cockpit-wsinstance-socket
+m cockpit-systemd-service cockpit-session-socket
+m cockpit-ws              cockpit-session-socket
+# cockpit-wsinstance-https.service spawns /usr/libexec/cockpit-ws with
+# DynamicUser=yes + User=cockpit-wsinstance-https + Group=cockpit-session-socket.
+# When DynamicUser is in effect systemd uses the unit's Group= for the
+# transient primary GID; when our overlay drop-ins disable it, the static
+# user's own primary group sticks (cockpit-wsinstance-https=953) and the
+# cockpit-session.sock connect fails. Explicit membership keeps both
+# paths working. Same applies to the http instance.
+m cockpit-wsinstance-https cockpit-session-socket
+m cockpit-wsinstance-https cockpit-wsinstance-socket
+m cockpit-wsinstance-http  cockpit-session-socket
+m cockpit-wsinstance-http  cockpit-wsinstance-socket
+m cockpit-wsinstance-socket cockpit-session-socket
