mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-12-25 03:17:13 +00:00
f7c776760b
NixOS usually needs nscd just to have a single place where LD_LIBRARY_PATH can be set to include all NSS modules, but nscd is also useful if some of the NSS modules need to read files which are only accessible by root. For example, nixos/modules/config/ldap.nix needs this when users.ldap.enable = true; users.ldap.daemon.enable = false; and users.ldap.bind.passwordFile exists. In that case, the module creates an /etc/ldap.conf which is only readable by root, but which the NSS module needs to read in order to find out what LDAP server to connect to and with what credentials. If nscd is started as root and configured with the server-user option in nscd.conf, then it gives each NSS module the opportunity to initialize itself before dropping privileges. The initialization happens in the glibc-internal __nss_disable_nscd function, which pre-loads all the configured NSS modules for passwd, group, hosts, and services (but not netgroup for some reason?) and, for each loaded module, calls an init function if one is defined. After that finishes, nscd's main() calls nscd_init() which ends by calling finish_drop_privileges(). There are provisions in systemd for using DynamicUser with a service which needs to drop privileges itself, so this patch does that.
72 lines
1.6 KiB
Nix
72 lines
1.6 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
|
|
nssModulesPath = config.system.nssModules.path;
|
|
cfg = config.services.nscd;
|
|
|
|
in
|
|
|
|
{
|
|
|
|
###### interface
|
|
|
|
options = {
|
|
|
|
services.nscd = {
|
|
|
|
enable = mkOption {
|
|
type = types.bool;
|
|
default = true;
|
|
description = "Whether to enable the Name Service Cache Daemon.";
|
|
};
|
|
|
|
config = mkOption {
|
|
type = types.lines;
|
|
default = builtins.readFile ./nscd.conf;
|
|
description = "Configuration to use for Name Service Cache Daemon.";
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
###### implementation
|
|
|
|
config = mkIf cfg.enable {
|
|
environment.etc."nscd.conf".text = cfg.config;
|
|
|
|
systemd.services.nscd =
|
|
{ description = "Name Service Cache Daemon";
|
|
|
|
wantedBy = [ "nss-lookup.target" "nss-user-lookup.target" ];
|
|
|
|
environment = { LD_LIBRARY_PATH = nssModulesPath; };
|
|
|
|
restartTriggers = [
|
|
config.environment.etc.hosts.source
|
|
config.environment.etc."nsswitch.conf".source
|
|
config.environment.etc."nscd.conf".source
|
|
];
|
|
|
|
serviceConfig =
|
|
{ ExecStart = "!@${pkgs.glibc.bin}/sbin/nscd nscd";
|
|
Type = "forking";
|
|
DynamicUser = true;
|
|
RuntimeDirectory = "nscd";
|
|
PIDFile = "/run/nscd/nscd.pid";
|
|
Restart = "always";
|
|
ExecReload =
|
|
[ "${pkgs.glibc.bin}/sbin/nscd --invalidate passwd"
|
|
"${pkgs.glibc.bin}/sbin/nscd --invalidate group"
|
|
"${pkgs.glibc.bin}/sbin/nscd --invalidate hosts"
|
|
];
|
|
};
|
|
};
|
|
|
|
};
|
|
}
|