diff options
| author | Jamey Sharp <jamey@minilop.net> | 2019-07-03 13:11:05 -0700 |
|---|---|---|
| committer | Jamey Sharp <jamey@minilop.net> | 2019-07-03 13:27:29 -0700 |
| commit | de251704d66331f61417b9eaa42c58270ea6c766 (patch) | |
| tree | 7508f1512773f3ca0815434e8236a8873ecdb4a0 /nixos | |
| parent | 597563d248470857470481681e3d187866c4a3b7 (diff) | |
| download | nixlib-de251704d66331f61417b9eaa42c58270ea6c766.tar nixlib-de251704d66331f61417b9eaa42c58270ea6c766.tar.gz nixlib-de251704d66331f61417b9eaa42c58270ea6c766.tar.bz2 nixlib-de251704d66331f61417b9eaa42c58270ea6c766.tar.lz nixlib-de251704d66331f61417b9eaa42c58270ea6c766.tar.xz nixlib-de251704d66331f61417b9eaa42c58270ea6c766.tar.zst nixlib-de251704d66331f61417b9eaa42c58270ea6c766.zip | |
nixos/nscd: run with a dynamic user
nscd doesn't create any files outside of /run/nscd unless the nscd.conf "persistent" option is used, which we don't do by default. Therefore it doesn't matter what UID/GID we run this service as, so long as it isn't shared with any other running processes. /run/nscd does need to be owned by the same UID that the service is running as, but systemd takes care of that for us thanks to the RuntimeDirectory directive. If someone wants to turn on the "persistent" option, they need to manually configure users.users.nscd and systemd.tmpfiles.rules so that /var/db/nscd is owned by the same user that nscd runs as. In an all-defaults boot.isContainer configuration of NixOS, this removes the only user which did not have a pre-assigned UID.
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/services/system/nscd.conf | 1 | ||||
| -rw-r--r-- | nixos/modules/services/system/nscd.nix | 7 |
2 files changed, 2 insertions, 6 deletions
diff --git a/nixos/modules/services/system/nscd.conf b/nixos/modules/services/system/nscd.conf index 603a5d01acce..b294e9339185 100644 --- a/nixos/modules/services/system/nscd.conf +++ b/nixos/modules/services/system/nscd.conf @@ -6,7 +6,6 @@ # fallback to trying to handle the request by itself. Which won't work as glibc # is not aware of the path in which the nss modules live. As a workaround, we # have `enable-cache yes` with an explicit ttl of 0 -server-user nscd threads 1 paranoia no debug-level 0 diff --git a/nixos/modules/services/system/nscd.nix b/nixos/modules/services/system/nscd.nix index 146440035396..cf034caa1285 100644 --- a/nixos/modules/services/system/nscd.nix +++ b/nixos/modules/services/system/nscd.nix @@ -39,11 +39,6 @@ in config = mkIf cfg.enable { environment.etc."nscd.conf".text = cfg.config; - users.users.nscd = - { isSystemUser = true; - description = "Name service cache daemon user"; - }; - systemd.services.nscd = { description = "Name Service Cache Daemon"; @@ -60,6 +55,8 @@ in serviceConfig = { ExecStart = "@${pkgs.glibc.bin}/sbin/nscd nscd"; Type = "forking"; + User = "nscd"; + DynamicUser = true; RuntimeDirectory = "nscd"; PIDFile = "/run/nscd/nscd.pid"; Restart = "always"; |