Commit graph

100 commits

Author SHA1 Message Date
Jamey Sharp d79584c902 nixos/nscd: document why it is configured this way 2019-07-12 12:07:45 -07:00
Jamey Sharp f7c776760b nixos/nscd: only drop privs after nss module init
NixOS usually needs nscd just to have a single place where
LD_LIBRARY_PATH can be set to include all NSS modules, but nscd is also
useful if some of the NSS modules need to read files which are only
accessible by root.

For example, nixos/modules/config/ldap.nix needs this when
  users.ldap.enable = true;
  users.ldap.daemon.enable = false;
and users.ldap.bind.passwordFile exists. In that case, the module
creates an /etc/ldap.conf which is only readable by root, but which the
NSS module needs to read in order to find out what LDAP server to
connect to and with what credentials.

If nscd is started as root and configured with the server-user option in
nscd.conf, then it gives each NSS module the opportunity to initialize
itself before dropping privileges. The initialization happens in the
glibc-internal __nss_disable_nscd function, which pre-loads all the
configured NSS modules for passwd, group, hosts, and services (but not
netgroup for some reason?) and, for each loaded module, calls an init
function if one is defined. After that finishes, nscd's main() calls
nscd_init() which ends by calling finish_drop_privileges().

There are provisions in systemd for using DynamicUser with a service
which needs to drop privileges itself, so this patch does that.
2019-07-07 08:43:41 -07:00
Jamey Sharp c38fa99757 nixos/nscd: don't need to specify username
Thanks to @arianvp for pointing out that when DynamicUser is true,
systemd defaults the value of User to be the name of the unit, which in
this case is already "nscd".
2019-07-06 09:24:49 -07:00
Jamey Sharp 4c64375e91 nixos/nscd: delete redundant nscd.conf options
These options were being set to the same value as the defaults that are
hardcoded in nscd. Delete them so it's clear which settings are actually
important for NixOS.

One exception is `threads 1`, which is different from the built-in
default of 4. However, both values are equivalent because nscd forces
the number of threads to be at least as many as the number of kinds of
databases it supports, which is 5.
2019-07-03 15:34:44 -07:00
Jamey Sharp de251704d6 nixos/nscd: run with a dynamic user
nscd doesn't create any files outside of /run/nscd unless the nscd.conf
"persistent" option is used, which we don't do by default. Therefore it
doesn't matter what UID/GID we run this service as, so long as it isn't
shared with any other running processes.

/run/nscd does need to be owned by the same UID that the service is
running as, but systemd takes care of that for us thanks to the
RuntimeDirectory directive.

If someone wants to turn on the "persistent" option, they need to
manually configure users.users.nscd and systemd.tmpfiles.rules so that
/var/db/nscd is owned by the same user that nscd runs as.

In an all-defaults boot.isContainer configuration of NixOS, this removes
the only user which did not have a pre-assigned UID.
2019-07-03 13:27:29 -07:00
Jamey Sharp 597563d248 nixos/nscd: let systemd manage directories
Previously this module created both /var/db/nscd and /run/nscd using
shell commands in a preStart script. Note that both of these paths are
hard-coded in the nscd source. (Well, the latter is actually
/var/run/nscd but /var/run is a symlink to /run so it works out the
same.)

/var/db/nscd is only used if the nscd.conf "persistent" option is turned
on for one or more databases, which it is not in our default config
file. I'm not even sure persistent mode can work under systemd, since
`nscd --shutdown` is not synchronous so systemd will always
unceremoniously kill nscd without reliably giving it time to mark the
databases as unused. Nonetheless, if someone wants to use that option,
they can ensure the directory exists using systemd.tmpfiles.rules.

systemd can create /run/nscd for us with the RuntimeDirectory directive,
with the added benefit of causing systemd to delete the directory on
service stop or restart. The default value of RuntimeDirectoryMode is
755, the same as the mode which this module was using before.

I don't think the `rm -f /run/nscd/nscd.pid` was necessary after NixOS
switched to systemd and used its PIDFile directive, because systemd
deletes the specified file after the service stops, and because the file
can't persist across reboots since /run is a tmpfs. Even if the file
still exists when nscd starts, it's only a problem if the pid it
contains has been reused by another process, which is unlikely. Anyway,
this change makes that deletion even less necessary, because now systemd
deletes the entire /run/nscd directory when the service stops.
2019-07-03 12:39:48 -07:00
Jamey Sharp 93f185df65 nixos/nscd: no longer need to wait for readiness
This postStart step was introduced on 2014-04-24 with the comment that
"Nscd forks into the background before it's ready to accept
connections."

However, that was fixed upstream almost two months earlier, on
2014-03-03, with the comment that "This, along with setting the nscd
service type to forking in its systemd configuration file, allows
systemd to be certain that the nscd service is ready and is accepting
connections."

The fix was released several months later in glibc 2.20, which was
merged in NixOS sometime before 15.09, so it certainly should be safe to
remove this workaround by now.
2019-07-03 12:26:47 -07:00
worldofpeace d672ceeb68
Merge pull request #63204 from michaelpj/imp/localtime-upstream
localtime: use upstream unit, fix polkit rules
2019-06-19 08:38:03 -04:00
Michael Peyton Jones 0073c1fb0b
localtime: use upstream unit and fix polkit rule installation
Also don't allocate a user - the upstream unit uses DynamicUser.
2019-06-19 11:07:44 +01:00
volth f3282c8d1e treewide: remove unused variables (#63177)
* treewide: remove unused variables

* making ofborg happy
2019-06-16 19:59:05 +00:00
Michael Peyton Jones d3a4a5bd95
localtime: set geoclue config
The geoclue module now lets us set application config. This should make
it more robust in environments that don't provide a geoclue agent.

Fixes #44725.
2019-06-03 18:12:33 +01:00
Lassulus 9cda3faecd
Merge pull request #53444 from wedens/earlyoom-notifications
nixos/earlyoom: add notificationsCommand option
2019-04-27 21:34:37 +09:00
wedens 5798d12842 nixos/earlyoom: add notificationsCommand option
Add option for specifying command that will be used for sending notifications.
See https://github.com/rfjakob/earlyoom#notifications for details.
2019-01-08 22:14:48 +07:00
Jan Tojnar aead6e12f9
Merge remote-tracking branch 'upstream/master' into staging 2018-12-16 22:55:06 +01:00
Arian van Putten 1d5f4cbb78 nixos/nscd: Add a descriptive comment to the nscd configuration 2018-12-12 15:35:46 +01:00
Arian van Putten a74619c1ae nixos/nscd: also add netgroup to the config
It was the last database that wasn't listed.
2018-12-12 15:35:40 +01:00
Arian van Putten de76c16f9c nixos/nscd: Merge nscd and sssd-nscd config 2018-12-12 15:35:40 +01:00
Arian van Putten 99d3279952 nixos/nscd: Disable negative caching of hosts
Hopefully fixes #50290
2018-12-12 15:35:40 +01:00
Arian van Putten e712417936 nixos/nscd: Disable caching of group and passwd
Systemd provides an option for allocating DynamicUsers
which we want to use in NixOS to harden service configuration.
However, we discovered that the user wasn't allocated properly
for services. After some digging this turned out to be, of course,
a cache inconsistency problem.

When a DynamicUser creation is performed, Systemd check beforehand
whether the requested user already exists statically. If it does,
it bails out. If it doesn't, systemd continues with allocating the
user.

However, by checking whether the user exists,  nscd will store
the fact that the user does not exist in it's negative cache.
When the service tries to lookup what user is associated to its
uid (By calling whoami, for example), it will try to consult
libnss_systemd.so However this will read from the cache and tell
report that the user doesn't exist, and thus will return that
there is no user associated with the uid. It will continue
to do so for the cache duration time.  If the service
doesn't immediately looks up its username, this bug is not
triggered, as the cache will be invalidated around this time.
However, if the service is quick enough, it might end up
in a situation where it's incorrectly reported that the
user doesn't exist.

Preferably, we would not be using nscd at all. But we need to
use it because glibc reads  nss modules from /etc/nsswitch.conf
by looking relative to the global LD_LIBRARY_PATH.  Because LD_LIBRARY_PATH
is not set globally (as that would lead to impurities and ABI issues),
glibc will fail to find any nss modules.
Instead, as a hack, we start up nscd with LD_LIBRARY_PATH set
for only that service. Glibc will forward all nss syscalls to
nscd, which will then respect the LD_LIBRARY_PATH and only
read from locations specified in the NixOS config.
we can load nss modules in a pure fashion.

However, I think by accident, we just copied over the default
settings of nscd, which actually caches user and group lookups.
We already disable this when sssd is enabled, as this interferes
with the correct working of libnss_sss.so as it already
does its own caching of LDAP requests.
(See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/usingnscd-sssd)

Because nscd caching is now also interferring with libnss_systemd.so
and probably also with other nsss modules, lets just pre-emptively
disable caching for now for all options related to users and groups,
but keep it for caching hosts ans services lookups.

Note that we can not just put in /etc/nscd.conf:
enable-cache passwd no

As this will actually cause glibc to _not_ forward the call to nscd
at all, and thus never reach the nss modules. Instead we set
the negative and positive cache ttls  to 0 seconds as a workaround.
This way, Glibc will always forward requests to nscd, but results
will never be cached.

Fixes #50273
2018-12-12 15:35:40 +01:00
Kai Wohlfahrt f5b4918de4 kerberos_server: ensure only one realm configured
Leave options for multiple realms for similarity to krb5, and future
expansion. Currently not tested because I can't make it work and don't need
it.
2018-12-11 13:33:10 +00:00
Kai Wohlfahrt 4e4a599e7e kerberos_server: Keep ACL file in store
Could also move kdc.conf, but this makes it inconvenient to use command line
utilities with heimdal, as it would require specifying --config-file with every
command.
2018-12-11 13:33:10 +00:00
Kai Wohlfahrt 6cca9c0f9f kerberos-server: add kerberos option
Allow switching out kerberos server implementation.

Sharing config is probably sensible, but implementation is different enough to
be worth splitting into two files. Not sure this is the correct way to split an
implementation, but it works for now.

Uses the switch from config.krb5 to select implementation.
2018-12-11 13:33:10 +00:00
Kai Wohlfahrt fe8f2b8813 kerberos-server: switch to ExecStart
script causes problems for forking services like MIT Kerberos.
2018-12-11 13:33:10 +00:00
Kai Wohlfahrt 4f9af77287 kerberos-server: cleanup of kerberos.nix
General cleanup before adding more options.
2018-12-11 13:33:10 +00:00
Kai Wohlfahrt ee3bd730d4 kerberos-server: move kadmind to systemd
Don't use socket activation, as inetd is discouraged by heimdal documentation.
2018-12-11 13:33:10 +00:00
Kai Wohlfahrt dfdd348206 kerberos-server: Fix sbin paths
tcpd doesn't have sbin anymore (so it was broken), and heimdal just symlinks to
bin.
2018-12-11 13:33:10 +00:00
Craig Younkins eff461c8ef treewide: systemd timeout arguments to use infinity instead of 0 (#50934)
Fixes https://github.com/NixOS/nixpkgs/issues/49700
2018-11-25 13:33:22 +01:00
Jörg Thalheim a5c74762cb
nixos/cloud-init: add enable suffix to ext4/btrfs
Makes the optional more self-describing and allows future extensions
2018-11-13 10:28:40 +00:00
Ding Xiang Fei a965921af9 allow cloud-init to support creating btrfs partitions 2018-11-13 13:14:34 +08:00
Pavel Goran 858b263bf0 nixos: correct improper uses of mkEnableOption, clarify service descriptions
Several service definitions used `mkEnableOption` with text starting
with "Whether to", which produced funny option descriptions like
"Whether to enable Whether to run the rspamd daemon..".

This commit corrects this, and adds short descriptions of services
to affected service definitions.
2018-10-05 13:14:45 +07:00
Matthew Bauer 4120a9dda7
Merge pull request #42295 from avnik/libprefixed-to-multioutput/heimdal
Libprefixed to multioutput/heimdal
2018-09-05 13:50:13 -05:00
Jan Tojnar fe51bf322c
Merge pull request #44820 from michaelpj/fix/redshift-geoclue-agents
redshift/geoclue/localtime: progress in fixing agent confusion
2018-08-14 17:13:09 +02:00
Michael Peyton Jones 80d4fa725b
localtime: simplify module a little 2018-08-14 15:55:05 +01:00
Alexander V. Nikolaev e808b7da20 heimdal: adjust daemon paths, they are in libexec now 2018-08-08 13:38:40 +03:00
Vincent Bernat 57840dbffb nixos/cloud-init: order after network-online.target (#44633)
Some modules of cloud-init can cope with a network not immediately
available (notably, the EC2 module), but some others won't retry if
network is not available (notably, the Cloudstack module).
network.target doesn't give much guarantee about the network
availability. Applications not able to start without a fully
configured network should be ordered after network-online.target.

Also see #44573 and #44524.
2018-08-08 00:09:00 +02:00
volth 6d2857a311 [bot] treewide: remove unused 'inherit' in let blocks 2018-07-20 19:38:19 +00:00
volth 87f5930c3f [bot]: remove unreferenced code 2018-07-20 18:48:37 +00:00
Allan Espinosa da994fb64e nixos/kerberos: update binary folder pointer
${pkg.tcp_wrappers}/sbin does not exist anymore.
2018-07-02 20:15:11 -04:00
Florian Klink fff5923686 nixos/modules: users.(extraUsers|extraGroup->users|group) 2018-06-30 03:02:58 +02:00
Michael Raitza e598fdf229 dbus: Add NSS modules path to dbus system bus service
DBus seems to resolve user IDs directly via glibc, circumventing nscd. In more
 advanced setups this leads to user's coming from LDAP or SSSD not being
 resolved by the dbus system bus daemon. The effect for such users is, that all
 access to the system bus (e.g. busctl or nmcli) is denied.

 Adding the respective NSS modules to the service's environment solves the issue
 the same way it does for nscd.
2018-06-07 16:44:04 +02:00
Domen Kožar d64ba1c060
Add localtime package and nixos module
Simple daemon for keeping system timezone up-to-date via geoclue2.

Sadly i3 status needs to be restarted for timezone changes.
2017-12-03 11:42:51 +01:00
Franz Pletz 00b6ac7bd3 Merge pull request #26419 from roblabla/feature-sasl
cyrus-sasl: Add saslauthd service and LDAP support
2017-07-20 20:23:52 +02:00
roblabla c18c50a42e cyrus-sasl: Add saslauthd service support 2017-06-06 12:59:47 +02:00
Frederik Rietdijk a2598e4ca1 Merge pull request #23024 from phile314/cloud-init-update
cloud-init: 0.7.6 -> 0.7.9 + module improvements
2017-05-22 16:33:31 +02:00
Philipp Hausmann 59ca1f6486 cloud-init: Disable broken hostname functionality by default 2017-04-20 19:12:27 +02:00
Leon Isenberg db30cff500 earlyoom service: init 2017-03-24 23:16:16 +01:00
Philipp Hausmann a0f4a720c8 cloud-init module: Replace hard-coded config by option. 2017-03-06 17:36:24 +01:00
Nikolay Amiantov ac0cdc1952 dbus service: use makeDBusConf 2017-02-16 15:41:23 +03:00
Parnell Springmeyer 9e36a58649
Merging against upstream master 2017-02-13 17:16:28 -06:00
Nikolay Amiantov 72b3746266 dbus service: remove {system,session}.conf from config dir
They are already included by dbus from /run/current-system/sw/share/dbus-1.
2017-02-01 15:37:24 +03:00