Cockpit 330

Author: martinpitt

_posts/2024-12-04-cockpit-330.md

@@ -0,0 +1,43 @@
+---
+title: Cockpit 330
+author: martinpitt
+date: '2024-12-04'
+tags: cockpit
+slug: cockpit-330
+category: release
+summary: 'bootc support, sysext development mode'
+---
+
+Cockpit is the [modern Linux admin interface](https://cockpit-project.org/).
+We release regularly.
+
+Here are the release notes from Cockpit 330:
+
+
+## Web server: Increased sandboxing, `setuid` removal, `bootc` support
+
+Cockpit's web server already had low privilege levels, but previously used a [setuid](https://en.wikipedia.org/wiki/Setuid) helper program `cockpit-session` for user logins. That helper had restricted permissions and was only executable by Cockpit (through group ownership). Its sole purpose was to run at the system level and immediately drop permissions to log in to a specific user account. However, the binary was still `setuid`, and `setuid` should be avoided for security reasons.
+
+This release removes the `setuid` flag from the helper. `cockpit-session` now starts via systemd socket activation, with the Cockpit web server connecting to it using a protected UNIX socket in the `/run` directory. This approach enables tighter sandbox security by preventing the login session from being a direct descendant of the web server process. It also [fixes Cockpit on bootc images](https://github.com/cockpit-project/cockpit/issues/21201).
+
+All Cockpit components now run as dynamic users created at startup using the `DynamicUser=` systemd feature.  Existing systems may still have a `cockpit-ws` user (and very old systems might even have associated TLS certificates). However, this `cockpit-ws` user is no longer required and can be safely deleted.
+
+## Development: New install mode using `systemd-sysext`
+
+To simplify development, a new build tool can install Cockpit as a [systemd-sysext](https://www.freedesktop.org/software/systemd/man/latest/systemd-sysext.html) (system extension). This enables testing all parts of Cockpit (web server, login page, systemd units, and bridge) directly on the host system, safely and quickly, without modifying the disk or having to use a virtual machine. Installation is temporary in `/run/extensions/` and cleared on reboot.
+
+Read [the documentation for detailed instructions](https://github.com/cockpit-project/cockpit/blob/main/HACKING.md#working-on-your-local-machine-systemd-sysext).
+
+
+## Try it out
+
+Cockpit 330 is available now:
+
+* [For your Linux system](https://cockpit-project.org/running.html)
+* [Cockpit Client](https://flathub.org/apps/details/org.cockpit_project.CockpitClient)
+
+* [Cockpit Source Tarball](https://github.com/cockpit-project/cockpit/releases/tag/330)
+* [Cockpit Fedora 41](https://bodhi.fedoraproject.org/updates/FEDORA-2024-60684a3b16)
+* [Cockpit Fedora 40](https://bodhi.fedoraproject.org/updates/FEDORA-2024-ba2375d278)
+
+*[TLS]: Transport Layer Security