1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-22 13:41:26 +00:00
nixpkgs/nixos/modules/services
Jamey Sharp f7c776760b nixos/nscd: only drop privs after nss module init
NixOS usually needs nscd just to have a single place where
LD_LIBRARY_PATH can be set to include all NSS modules, but nscd is also
useful if some of the NSS modules need to read files which are only
accessible by root.

For example, nixos/modules/config/ldap.nix needs this when
  users.ldap.enable = true;
  users.ldap.daemon.enable = false;
and users.ldap.bind.passwordFile exists. In that case, the module
creates an /etc/ldap.conf which is only readable by root, but which the
NSS module needs to read in order to find out what LDAP server to
connect to and with what credentials.

If nscd is started as root and configured with the server-user option in
nscd.conf, then it gives each NSS module the opportunity to initialize
itself before dropping privileges. The initialization happens in the
glibc-internal __nss_disable_nscd function, which pre-loads all the
configured NSS modules for passwd, group, hosts, and services (but not
netgroup for some reason?) and, for each loaded module, calls an init
function if one is defined. After that finishes, nscd's main() calls
nscd_init() which ends by calling finish_drop_privileges().

There are provisions in systemd for using DynamicUser with a service
which needs to drop privileges itself, so this patch does that.
2019-07-07 08:43:41 -07:00
..
admin cleanup redundant text in modules utilizing mkEnableOption 2019-04-20 14:44:02 +02:00
amqp nixos/rabbitmq: replace deprecated usage of PermissionsStartOnly 2019-04-13 07:00:57 -04:00
audio Merge pull request #63551 from Steell/roon-server 2019-07-02 10:06:29 +08:00
backup duplicati: fix StateDirectory 2019-06-27 14:15:37 +02:00
cluster treewide: remove unused variables (#63177) 2019-06-16 19:59:05 +00:00
computing nixos/boinc: replace deprecated usage of PermissionsStartOnly 2019-05-26 07:20:56 -04:00
continuous-integration treewide: Remove usage of isNull 2019-04-29 14:05:50 +02:00
databases nixos/mysql: make ExecStartPost script fail on error 2019-07-03 08:50:21 +02:00
desktops nixos/deepin: add dde-control-center 2019-06-27 22:15:13 -04:00
development nixos/jupyter: wait for network.target 2018-11-06 20:40:20 +01:00
editors doc: Use prompt more often 2019-06-17 13:25:50 +02:00
games Merge pull request #60406 from JohnAZoidberg/remove-isnull 2019-05-18 09:36:24 +00:00
hardware udev: be more verbose about the error 2019-06-21 18:05:14 +02:00
logging nixos/graylog: replace deprecated usage of PermissionsStartOnly 2019-05-26 07:20:57 -04:00
mail Revert "Merge pull request #63156 from Izorkin/phpfpm-rootless" 2019-06-28 21:47:43 -04:00
misc Revert "Merge pull request #63156 from Izorkin/phpfpm-rootless" 2019-06-28 21:47:43 -04:00
monitoring Merge pull request #62061 from aanderse/nagios 2019-07-03 06:19:35 -04:00
network-filesystems nixos/doc: Fix spurious indentation 2019-06-17 12:28:26 +02:00
networking networkmanager: Documentation cleanup. 2019-07-03 09:40:05 +00:00
printing Merge pull request #59076 from Yarny0/cups-path-fix 2019-05-30 10:52:28 -04:00
scheduling Merge pull request #51918 from bobvanderlinden/var-run 2019-04-07 20:09:46 +02:00
search treewide: Remove usage of isNull 2019-04-29 14:05:50 +02:00
security nixos: add StateDirectory for fprintd 2019-05-26 18:06:46 +01:00
system nixos/nscd: only drop privs after nss module init 2019-07-07 08:43:41 -07:00
torrent nixos/deluge: add authFile, config & port options 2019-06-04 18:08:11 +02:00
ttys nixos: add preferLocalBuild=true; on derivations for config files 2019-02-22 20:11:27 +01:00
web-apps Revert "Merge pull request #63156 from Izorkin/phpfpm-rootless" 2019-06-28 21:47:43 -04:00
web-servers Revert "Merge pull request #63156 from Izorkin/phpfpm-rootless" 2019-06-28 21:47:43 -04:00
x11 Merge pull request #62852 from samueldr/fix/xterm-desktop-manager-default 2019-06-24 14:48:58 -04:00