nixos/nscd: only drop privs after nss module init
NixOS usually needs nscd just to have a single place where LD_LIBRARY_PATH can be set to include all NSS modules, but nscd is also useful if some of the NSS modules need to read files which are only accessible by root. For example, nixos/modules/config/ldap.nix needs this when users.ldap.enable = true; users.ldap.daemon.enable = false; and users.ldap.bind.passwordFile exists. In that case, the module creates an /etc/ldap.conf which is only readable by root, but which the NSS module needs to read in order to find out what LDAP server to connect to and with what credentials. If nscd is started as root and configured with the server-user option in nscd.conf, then it gives each NSS module the opportunity to initialize itself before dropping privileges. The initialization happens in the glibc-internal __nss_disable_nscd function, which pre-loads all the configured NSS modules for passwd, group, hosts, and services (but not netgroup for some reason?) and, for each loaded module, calls an init function if one is defined. After that finishes, nscd's main() calls nscd_init() which ends by calling finish_drop_privileges(). There are provisions in systemd for using DynamicUser with a service which needs to drop privileges itself, so this patch does that.
This commit is contained in:
parent
c38fa99757
commit
f7c776760b
2 changed files with 2 additions and 1 deletions
|
@ -6,6 +6,7 @@
|
|||
# fallback to trying to handle the request by itself. Which won't work as glibc
|
||||
# is not aware of the path in which the nss modules live. As a workaround, we
|
||||
# have `enable-cache yes` with an explicit ttl of 0
|
||||
server-user nscd
|
||||
|
||||
enable-cache passwd yes
|
||||
positive-time-to-live passwd 0
|
||||
|
|
|
@ -53,7 +53,7 @@ in
|
|||
];
|
||||
|
||||
serviceConfig =
|
||||
{ ExecStart = "@${pkgs.glibc.bin}/sbin/nscd nscd";
|
||||
{ ExecStart = "!@${pkgs.glibc.bin}/sbin/nscd nscd";
|
||||
Type = "forking";
|
||||
DynamicUser = true;
|
||||
RuntimeDirectory = "nscd";
|
||||
|
|
Loading…
Reference in a new issue