diff options
author | Nikolay Amiantov <ab@fmap.me> | 2019-07-22 16:23:07 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-07-22 16:23:07 +0300 |
commit | a0ba42e3f4e7de10de156707ef845e8a52525e0c (patch) | |
tree | 1c6aabec727dd8f74389d2c3d0db86c876e34865 /nixos | |
parent | 3c65adaa750a66de589e61e01e96200a29187cd6 (diff) | |
parent | d79584c90253107d8d29869de0951545a567554a (diff) | |
download | nixpkgs-a0ba42e3f4e7de10de156707ef845e8a52525e0c.tar nixpkgs-a0ba42e3f4e7de10de156707ef845e8a52525e0c.tar.gz nixpkgs-a0ba42e3f4e7de10de156707ef845e8a52525e0c.tar.bz2 nixpkgs-a0ba42e3f4e7de10de156707ef845e8a52525e0c.tar.lz nixpkgs-a0ba42e3f4e7de10de156707ef845e8a52525e0c.tar.xz nixpkgs-a0ba42e3f4e7de10de156707ef845e8a52525e0c.tar.zst nixpkgs-a0ba42e3f4e7de10de156707ef845e8a52525e0c.zip |
Merge pull request #64268 from jameysharp/nscd-dynamicuser
nixos/nscd: DynamicUser and other cleanups
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/system/nscd.conf | 18 | ||||
-rw-r--r-- | nixos/modules/services/system/nscd.nix | 31 |
2 files changed, 9 insertions, 40 deletions
diff --git a/nixos/modules/services/system/nscd.conf b/nixos/modules/services/system/nscd.conf index 603a5d01acc..2b7523a7346 100644 --- a/nixos/modules/services/system/nscd.conf +++ b/nixos/modules/services/system/nscd.conf @@ -7,46 +7,28 @@ # is not aware of the path in which the nss modules live. As a workaround, we # have `enable-cache yes` with an explicit ttl of 0 server-user nscd -threads 1 -paranoia no -debug-level 0 enable-cache passwd yes positive-time-to-live passwd 0 negative-time-to-live passwd 0 -suggested-size passwd 211 -check-files passwd yes -persistent passwd no shared passwd yes enable-cache group yes positive-time-to-live group 0 negative-time-to-live group 0 -suggested-size group 211 -check-files group yes -persistent group no shared group yes enable-cache netgroup yes positive-time-to-live netgroup 0 negative-time-to-live netgroup 0 -suggested-size netgroup 211 -check-files netgroup yes -persistent netgroup no shared netgroup yes enable-cache hosts yes positive-time-to-live hosts 600 negative-time-to-live hosts 0 -suggested-size hosts 211 -check-files hosts yes -persistent hosts no shared hosts yes enable-cache services yes positive-time-to-live services 0 negative-time-to-live services 0 -suggested-size services 211 -check-files services yes -persistent services no shared services yes diff --git a/nixos/modules/services/system/nscd.nix b/nixos/modules/services/system/nscd.nix index fd1570d1198..e11f7e049d8 100644 --- a/nixos/modules/services/system/nscd.nix +++ b/nixos/modules/services/system/nscd.nix @@ -39,11 +39,6 @@ in config = mkIf cfg.enable { environment.etc."nscd.conf".text = cfg.config; - users.users.nscd = - { isSystemUser = true; - description = "Name service cache daemon user"; - }; - systemd.services.nscd = { description = "Name Service Cache Daemon"; @@ -51,22 +46,23 @@ in environment = { LD_LIBRARY_PATH = nssModulesPath; }; - preStart = - '' - mkdir -m 0755 -p /run/nscd - rm -f /run/nscd/nscd.pid - mkdir -m 0755 -p /var/db/nscd - ''; - restartTriggers = [ config.environment.etc.hosts.source config.environment.etc."nsswitch.conf".source config.environment.etc."nscd.conf".source ]; + # We use DynamicUser because in default configurations nscd doesn't + # create any files that need to survive restarts. However, in some + # configurations, nscd needs to be started as root; it will drop + # privileges after all the NSS modules have read their configuration + # files. So prefix the ExecStart command with "!" to prevent systemd + # from dropping privileges early. See ExecStart in systemd.service(5). serviceConfig = - { ExecStart = "@${pkgs.glibc.bin}/sbin/nscd nscd"; + { ExecStart = "!@${pkgs.glibc.bin}/sbin/nscd nscd"; Type = "forking"; + DynamicUser = true; + RuntimeDirectory = "nscd"; PIDFile = "/run/nscd/nscd.pid"; Restart = "always"; ExecReload = @@ -75,15 +71,6 @@ in "${pkgs.glibc.bin}/sbin/nscd --invalidate hosts" ]; }; - - # Urgggggh... Nscd forks before opening its socket and writing - # its pid. So wait until it's ready. - postStart = - '' - while ! ${pkgs.glibc.bin}/sbin/nscd -g > /dev/null; do - sleep 0.2 - done - ''; }; }; |