1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-12-25 03:17:13 +00:00
nixpkgs/nixos/modules/services/system/nscd.conf
Jamey Sharp f7c776760b nixos/nscd: only drop privs after nss module init
NixOS usually needs nscd just to have a single place where
LD_LIBRARY_PATH can be set to include all NSS modules, but nscd is also
useful if some of the NSS modules need to read files which are only
accessible by root.

For example, nixos/modules/config/ldap.nix needs this when
  users.ldap.enable = true;
  users.ldap.daemon.enable = false;
and users.ldap.bind.passwordFile exists. In that case, the module
creates an /etc/ldap.conf which is only readable by root, but which the
NSS module needs to read in order to find out what LDAP server to
connect to and with what credentials.

If nscd is started as root and configured with the server-user option in
nscd.conf, then it gives each NSS module the opportunity to initialize
itself before dropping privileges. The initialization happens in the
glibc-internal __nss_disable_nscd function, which pre-loads all the
configured NSS modules for passwd, group, hosts, and services (but not
netgroup for some reason?) and, for each loaded module, calls an init
function if one is defined. After that finishes, nscd's main() calls
nscd_init() which ends by calling finish_drop_privileges().

There are provisions in systemd for using DynamicUser with a service
which needs to drop privileges itself, so this patch does that.
2019-07-07 08:43:41 -07:00

35 lines
1.4 KiB
Plaintext

# We basically use nscd as a proxy for forwarding nss requests to appropriate
# nss modules, as we run nscd with LD_LIBRARY_PATH set to the directory
# containing all such modules
# Note that we can not use `enable-cache no` As this will actually cause nscd
# to just reject the nss requests it receives, which then causes glibc to
# fallback to trying to handle the request by itself. Which won't work as glibc
# is not aware of the path in which the nss modules live. As a workaround, we
# have `enable-cache yes` with an explicit ttl of 0
server-user nscd
enable-cache passwd yes
positive-time-to-live passwd 0
negative-time-to-live passwd 0
shared passwd yes
enable-cache group yes
positive-time-to-live group 0
negative-time-to-live group 0
shared group yes
enable-cache netgroup yes
positive-time-to-live netgroup 0
negative-time-to-live netgroup 0
shared netgroup yes
enable-cache hosts yes
positive-time-to-live hosts 600
negative-time-to-live hosts 0
shared hosts yes
enable-cache services yes
positive-time-to-live services 0
negative-time-to-live services 0
shared services yes