Cockpit is the modern Linux admin interface. We release regularly.

Here are the release notes from Cockpit 330:

Web server: Increased sandboxing, setuid removal, bootc support

Cockpit’s web server already had low privilege levels, but previously used a setuid helper program cockpit-session for user logins. That helper had restricted permissions and was only executable by Cockpit (through group ownership). Its sole purpose was to run at the system level and immediately drop permissions to log in to a specific user account. However, the binary was still setuid, and setuid should be avoided for security reasons.

This release removes the setuid flag from the helper. cockpit-session now starts via systemd socket activation, with the Cockpit web server connecting to it using a protected UNIX socket in the /run directory. This approach enables tighter sandbox security by preventing the login session from being a direct descendant of the web server process. It also fixes Cockpit on bootc images.

All Cockpit components now run as dynamic users created at startup using the DynamicUser= systemd feature. Existing systems may still have a cockpit-ws user (and very old systems might even have associated TLS certificates). However, this cockpit-ws user is no longer required and can be safely deleted.

Development: New install mode using systemd-sysext

To simplify development, a new build tool can install Cockpit as a systemd-sysext (system extension). This enables testing all parts of Cockpit (web server, login page, systemd units, and bridge) directly on the host system, safely and quickly, without modifying the disk or having to use a virtual machine. Installation is temporary in /run/extensions/ and cleared on reboot.

Read the documentation for detailed instructions.

Try it out

Cockpit 330 is available now:

• For your Linux system

• Cockpit Client

• Cockpit Source Tarball
• Cockpit Fedora 41
• Cockpit Fedora 40