diff options
author | Jamey Sharp <jamey@minilop.net> | 2019-07-07 08:43:41 -0700 |
---|---|---|
committer | Jamey Sharp <jamey@minilop.net> | 2019-07-07 08:43:41 -0700 |
commit | f7c776760babb4f2d5d4341a5dbd882bf7751e9c (patch) | |
tree | 07ef64a04a6967c3b357585c99dc1bfa06891f84 | |
parent | c38fa99757baec0ba04c41985783b6f63a58ced2 (diff) | |
download | nixpkgs-f7c776760babb4f2d5d4341a5dbd882bf7751e9c.tar nixpkgs-f7c776760babb4f2d5d4341a5dbd882bf7751e9c.tar.gz nixpkgs-f7c776760babb4f2d5d4341a5dbd882bf7751e9c.tar.bz2 nixpkgs-f7c776760babb4f2d5d4341a5dbd882bf7751e9c.tar.lz nixpkgs-f7c776760babb4f2d5d4341a5dbd882bf7751e9c.tar.xz nixpkgs-f7c776760babb4f2d5d4341a5dbd882bf7751e9c.tar.zst nixpkgs-f7c776760babb4f2d5d4341a5dbd882bf7751e9c.zip |
nixos/nscd: only drop privs after nss module init
NixOS usually needs nscd just to have a single place where LD_LIBRARY_PATH can be set to include all NSS modules, but nscd is also useful if some of the NSS modules need to read files which are only accessible by root. For example, nixos/modules/config/ldap.nix needs this when users.ldap.enable = true; users.ldap.daemon.enable = false; and users.ldap.bind.passwordFile exists. In that case, the module creates an /etc/ldap.conf which is only readable by root, but which the NSS module needs to read in order to find out what LDAP server to connect to and with what credentials. If nscd is started as root and configured with the server-user option in nscd.conf, then it gives each NSS module the opportunity to initialize itself before dropping privileges. The initialization happens in the glibc-internal __nss_disable_nscd function, which pre-loads all the configured NSS modules for passwd, group, hosts, and services (but not netgroup for some reason?) and, for each loaded module, calls an init function if one is defined. After that finishes, nscd's main() calls nscd_init() which ends by calling finish_drop_privileges(). There are provisions in systemd for using DynamicUser with a service which needs to drop privileges itself, so this patch does that.
-rw-r--r-- | nixos/modules/services/system/nscd.conf | 1 | ||||
-rw-r--r-- | nixos/modules/services/system/nscd.nix | 2 |
2 files changed, 2 insertions, 1 deletions
diff --git a/nixos/modules/services/system/nscd.conf b/nixos/modules/services/system/nscd.conf index bd802bd3c2e..2b7523a7346 100644 --- a/nixos/modules/services/system/nscd.conf +++ b/nixos/modules/services/system/nscd.conf @@ -6,6 +6,7 @@ # fallback to trying to handle the request by itself. Which won't work as glibc # is not aware of the path in which the nss modules live. As a workaround, we # have `enable-cache yes` with an explicit ttl of 0 +server-user nscd enable-cache passwd yes positive-time-to-live passwd 0 diff --git a/nixos/modules/services/system/nscd.nix b/nixos/modules/services/system/nscd.nix index d094e9893ff..c2d0cd5d0eb 100644 --- a/nixos/modules/services/system/nscd.nix +++ b/nixos/modules/services/system/nscd.nix @@ -53,7 +53,7 @@ in ]; serviceConfig = - { ExecStart = "@${pkgs.glibc.bin}/sbin/nscd nscd"; + { ExecStart = "!@${pkgs.glibc.bin}/sbin/nscd nscd"; Type = "forking"; DynamicUser = true; RuntimeDirectory = "nscd"; |