diff options
author | Netali <me@netali.de> | 2022-07-29 15:50:25 +0200 |
---|---|---|
committer | Netali <me@netali.de> | 2022-08-06 19:39:22 +0200 |
commit | 7a6c3cf4aefbf7d11641008ed580c1470d82c87d (patch) | |
tree | a09d20b504ae429d516f35ef1886e6b1b925be49 /nixos/modules/services | |
parent | 5c2783bccba5e6c27c2e9456a79447864d48e97a (diff) | |
download | nixlib-7a6c3cf4aefbf7d11641008ed580c1470d82c87d.tar nixlib-7a6c3cf4aefbf7d11641008ed580c1470d82c87d.tar.gz nixlib-7a6c3cf4aefbf7d11641008ed580c1470d82c87d.tar.bz2 nixlib-7a6c3cf4aefbf7d11641008ed580c1470d82c87d.tar.lz nixlib-7a6c3cf4aefbf7d11641008ed580c1470d82c87d.tar.xz nixlib-7a6c3cf4aefbf7d11641008ed580c1470d82c87d.tar.zst nixlib-7a6c3cf4aefbf7d11641008ed580c1470d82c87d.zip |
nixos/nscd: use a static user instead of systemd DynamicUser
Diffstat (limited to 'nixos/modules/services')
-rw-r--r-- | nixos/modules/services/system/nscd.nix | 45 |
1 files changed, 38 insertions, 7 deletions
diff --git a/nixos/modules/services/system/nscd.nix b/nixos/modules/services/system/nscd.nix index 002c40927806..9c98f8519548 100644 --- a/nixos/modules/services/system/nscd.nix +++ b/nixos/modules/services/system/nscd.nix @@ -27,6 +27,22 @@ in ''; }; + user = mkOption { + type = types.str; + default = "nscd"; + description = '' + User account under which nscd runs. + ''; + }; + + group = mkOption { + type = types.str; + default = "nscd"; + description = '' + User group under which nscd runs. + ''; + }; + config = mkOption { type = types.lines; default = builtins.readFile ./nscd.conf; @@ -56,6 +72,13 @@ in config = mkIf cfg.enable { environment.etc."nscd.conf".text = cfg.config; + users.users.${cfg.user} = { + isSystemUser = true; + group = cfg.group; + }; + + users.groups.${cfg.group} = {}; + systemd.services.nscd = { description = "Name Service Cache Daemon"; @@ -71,16 +94,24 @@ in config.environment.etc."nscd.conf".source ]; - # We use DynamicUser because in default configurations nscd doesn't - # create any files that need to survive restarts. However, in some - # configurations, nscd needs to be started as root; it will drop - # privileges after all the NSS modules have read their configuration - # files. So prefix the ExecStart command with "!" to prevent systemd - # from dropping privileges early. See ExecStart in systemd.service(5). + # In some configurations, nscd needs to be started as root; it will + # drop privileges after all the NSS modules have read their + # configuration files. So prefix the ExecStart command with "!" to + # prevent systemd from dropping privileges early. See ExecStart in + # systemd.service(5). We use a static user, because some NSS modules + # sill want to read their configuration files after the privilege drop + # and so users can set the owner of those files to the nscd user. serviceConfig = { ExecStart = "!@${cfg.package}/bin/nscd nscd"; Type = "forking"; - DynamicUser = true; + User = cfg.user; + Group = cfg.group; + RemoveIPC = true; + PrivateTmp = true; + NoNewPrivileges = true; + RestrictSUIDSGID = true; + ProtectSystem = "strict"; + ProtectHome = "read-only"; RuntimeDirectory = "nscd"; PIDFile = "/run/nscd/nscd.pid"; Restart = "always"; |