2018-12-12 14:34:05 +00:00
|
|
|
# We basically use nscd as a proxy for forwarding nss requests to appropriate
|
|
|
|
# nss modules, as we run nscd with LD_LIBRARY_PATH set to the directory
|
|
|
|
# containing all such modules
|
|
|
|
# Note that we can not use `enable-cache no` As this will actually cause nscd
|
|
|
|
# to just reject the nss requests it receives, which then causes glibc to
|
|
|
|
# fallback to trying to handle the request by itself. Which won't work as glibc
|
|
|
|
# is not aware of the path in which the nss modules live. As a workaround, we
|
|
|
|
# have `enable-cache yes` with an explicit ttl of 0
|
nixos/nscd: only drop privs after nss module init
NixOS usually needs nscd just to have a single place where
LD_LIBRARY_PATH can be set to include all NSS modules, but nscd is also
useful if some of the NSS modules need to read files which are only
accessible by root.
For example, nixos/modules/config/ldap.nix needs this when
users.ldap.enable = true;
users.ldap.daemon.enable = false;
and users.ldap.bind.passwordFile exists. In that case, the module
creates an /etc/ldap.conf which is only readable by root, but which the
NSS module needs to read in order to find out what LDAP server to
connect to and with what credentials.
If nscd is started as root and configured with the server-user option in
nscd.conf, then it gives each NSS module the opportunity to initialize
itself before dropping privileges. The initialization happens in the
glibc-internal __nss_disable_nscd function, which pre-loads all the
configured NSS modules for passwd, group, hosts, and services (but not
netgroup for some reason?) and, for each loaded module, calls an init
function if one is defined. After that finishes, nscd's main() calls
nscd_init() which ends by calling finish_drop_privileges().
There are provisions in systemd for using DynamicUser with a service
which needs to drop privileges itself, so this patch does that.
2019-07-07 16:43:41 +01:00
|
|
|
server-user nscd
|
2007-01-11 23:55:25 +00:00
|
|
|
|
|
|
|
enable-cache passwd yes
|
nixos/nscd: Disable caching of group and passwd
Systemd provides an option for allocating DynamicUsers
which we want to use in NixOS to harden service configuration.
However, we discovered that the user wasn't allocated properly
for services. After some digging this turned out to be, of course,
a cache inconsistency problem.
When a DynamicUser creation is performed, Systemd check beforehand
whether the requested user already exists statically. If it does,
it bails out. If it doesn't, systemd continues with allocating the
user.
However, by checking whether the user exists, nscd will store
the fact that the user does not exist in it's negative cache.
When the service tries to lookup what user is associated to its
uid (By calling whoami, for example), it will try to consult
libnss_systemd.so However this will read from the cache and tell
report that the user doesn't exist, and thus will return that
there is no user associated with the uid. It will continue
to do so for the cache duration time. If the service
doesn't immediately looks up its username, this bug is not
triggered, as the cache will be invalidated around this time.
However, if the service is quick enough, it might end up
in a situation where it's incorrectly reported that the
user doesn't exist.
Preferably, we would not be using nscd at all. But we need to
use it because glibc reads nss modules from /etc/nsswitch.conf
by looking relative to the global LD_LIBRARY_PATH. Because LD_LIBRARY_PATH
is not set globally (as that would lead to impurities and ABI issues),
glibc will fail to find any nss modules.
Instead, as a hack, we start up nscd with LD_LIBRARY_PATH set
for only that service. Glibc will forward all nss syscalls to
nscd, which will then respect the LD_LIBRARY_PATH and only
read from locations specified in the NixOS config.
we can load nss modules in a pure fashion.
However, I think by accident, we just copied over the default
settings of nscd, which actually caches user and group lookups.
We already disable this when sssd is enabled, as this interferes
with the correct working of libnss_sss.so as it already
does its own caching of LDAP requests.
(See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/usingnscd-sssd)
Because nscd caching is now also interferring with libnss_systemd.so
and probably also with other nsss modules, lets just pre-emptively
disable caching for now for all options related to users and groups,
but keep it for caching hosts ans services lookups.
Note that we can not just put in /etc/nscd.conf:
enable-cache passwd no
As this will actually cause glibc to _not_ forward the call to nscd
at all, and thus never reach the nss modules. Instead we set
the negative and positive cache ttls to 0 seconds as a workaround.
This way, Glibc will always forward requests to nscd, but results
will never be cached.
Fixes #50273
2018-11-13 15:28:37 +00:00
|
|
|
positive-time-to-live passwd 0
|
|
|
|
negative-time-to-live passwd 0
|
2007-01-11 23:55:25 +00:00
|
|
|
shared passwd yes
|
|
|
|
|
|
|
|
enable-cache group yes
|
nixos/nscd: Disable caching of group and passwd
Systemd provides an option for allocating DynamicUsers
which we want to use in NixOS to harden service configuration.
However, we discovered that the user wasn't allocated properly
for services. After some digging this turned out to be, of course,
a cache inconsistency problem.
When a DynamicUser creation is performed, Systemd check beforehand
whether the requested user already exists statically. If it does,
it bails out. If it doesn't, systemd continues with allocating the
user.
However, by checking whether the user exists, nscd will store
the fact that the user does not exist in it's negative cache.
When the service tries to lookup what user is associated to its
uid (By calling whoami, for example), it will try to consult
libnss_systemd.so However this will read from the cache and tell
report that the user doesn't exist, and thus will return that
there is no user associated with the uid. It will continue
to do so for the cache duration time. If the service
doesn't immediately looks up its username, this bug is not
triggered, as the cache will be invalidated around this time.
However, if the service is quick enough, it might end up
in a situation where it's incorrectly reported that the
user doesn't exist.
Preferably, we would not be using nscd at all. But we need to
use it because glibc reads nss modules from /etc/nsswitch.conf
by looking relative to the global LD_LIBRARY_PATH. Because LD_LIBRARY_PATH
is not set globally (as that would lead to impurities and ABI issues),
glibc will fail to find any nss modules.
Instead, as a hack, we start up nscd with LD_LIBRARY_PATH set
for only that service. Glibc will forward all nss syscalls to
nscd, which will then respect the LD_LIBRARY_PATH and only
read from locations specified in the NixOS config.
we can load nss modules in a pure fashion.
However, I think by accident, we just copied over the default
settings of nscd, which actually caches user and group lookups.
We already disable this when sssd is enabled, as this interferes
with the correct working of libnss_sss.so as it already
does its own caching of LDAP requests.
(See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/usingnscd-sssd)
Because nscd caching is now also interferring with libnss_systemd.so
and probably also with other nsss modules, lets just pre-emptively
disable caching for now for all options related to users and groups,
but keep it for caching hosts ans services lookups.
Note that we can not just put in /etc/nscd.conf:
enable-cache passwd no
As this will actually cause glibc to _not_ forward the call to nscd
at all, and thus never reach the nss modules. Instead we set
the negative and positive cache ttls to 0 seconds as a workaround.
This way, Glibc will always forward requests to nscd, but results
will never be cached.
Fixes #50273
2018-11-13 15:28:37 +00:00
|
|
|
positive-time-to-live group 0
|
|
|
|
negative-time-to-live group 0
|
2007-01-11 23:55:25 +00:00
|
|
|
shared group yes
|
|
|
|
|
2018-11-16 14:08:01 +00:00
|
|
|
enable-cache netgroup yes
|
|
|
|
positive-time-to-live netgroup 0
|
|
|
|
negative-time-to-live netgroup 0
|
|
|
|
shared netgroup yes
|
|
|
|
|
2007-01-11 23:55:25 +00:00
|
|
|
enable-cache hosts yes
|
|
|
|
positive-time-to-live hosts 600
|
2018-11-14 11:19:58 +00:00
|
|
|
negative-time-to-live hosts 0
|
2007-01-11 23:55:25 +00:00
|
|
|
shared hosts yes
|
2018-11-16 14:03:00 +00:00
|
|
|
|
|
|
|
enable-cache services yes
|
|
|
|
positive-time-to-live services 0
|
|
|
|
negative-time-to-live services 0
|
|
|
|
shared services yes
|