From 7a6c3cf4aefbf7d11641008ed580c1470d82c87d Mon Sep 17 00:00:00 2001
From: Netali <me@netali.de>
Date: Fri, 29 Jul 2022 15:50:25 +0200
Subject: nixos/nscd: use a static user instead of systemd DynamicUser

---
 nixos/modules/services/system/nscd.nix | 45 ++++++++++++++++++++++++++++------
 1 file changed, 38 insertions(+), 7 deletions(-)

(limited to 'nixos/modules/services/system/nscd.nix')

diff --git a/nixos/modules/services/system/nscd.nix b/nixos/modules/services/system/nscd.nix
index 002c40927806..9c98f8519548 100644
--- a/nixos/modules/services/system/nscd.nix
+++ b/nixos/modules/services/system/nscd.nix
@@ -27,6 +27,22 @@ in
         '';
       };
 
+      user = mkOption {
+        type = types.str;
+        default = "nscd";
+        description = ''
+          User account under which nscd runs.
+        '';
+      };
+
+      group = mkOption {
+        type = types.str;
+        default = "nscd";
+        description = ''
+          User group under which nscd runs.
+        '';
+      };
+
       config = mkOption {
         type = types.lines;
         default = builtins.readFile ./nscd.conf;
@@ -56,6 +72,13 @@ in
   config = mkIf cfg.enable {
     environment.etc."nscd.conf".text = cfg.config;
 
+    users.users.${cfg.user} = {
+      isSystemUser = true;
+      group = cfg.group;
+    };
+
+    users.groups.${cfg.group} = {};
+
     systemd.services.nscd =
       { description = "Name Service Cache Daemon";
 
@@ -71,16 +94,24 @@ in
           config.environment.etc."nscd.conf".source
         ];
 
-        # We use DynamicUser because in default configurations nscd doesn't
-        # create any files that need to survive restarts. However, in some
-        # configurations, nscd needs to be started as root; it will drop
-        # privileges after all the NSS modules have read their configuration
-        # files. So prefix the ExecStart command with "!" to prevent systemd
-        # from dropping privileges early. See ExecStart in systemd.service(5).
+        # In some configurations, nscd needs to be started as root; it will
+        # drop privileges after all the NSS modules have read their
+        # configuration files. So prefix the ExecStart command with "!" to
+        # prevent systemd from dropping privileges early. See ExecStart in
+        # systemd.service(5). We use a static user, because some NSS modules
+        # sill want to read their configuration files after the privilege drop
+        # and so users can set the owner of those files to the nscd user.
         serviceConfig =
           { ExecStart = "!@${cfg.package}/bin/nscd nscd";
             Type = "forking";
-            DynamicUser = true;
+            User = cfg.user;
+            Group = cfg.group;
+            RemoveIPC = true;
+            PrivateTmp = true;
+            NoNewPrivileges = true;
+            RestrictSUIDSGID = true;
+            ProtectSystem = "strict";
+            ProtectHome = "read-only";
             RuntimeDirectory = "nscd";
             PIDFile = "/run/nscd/nscd.pid";
             Restart = "always";
-- 
cgit 1.4.1