Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Issue 14 - run nsncd as nsncd user #129

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,10 @@ and mailing lists.
Just run the `nsncd` binary and it will listen at `/var/run/nscd/socket`.
There's a simple `systemd` unit file, too.

It will run `nsncd` as the `nscd` user and group, and apply some sandboxing.
It also relies on the systemd `RuntimeDirectory=` functionality to create the
directory at `/var/run/nscd` with appropriate permissions.

If you're on a Debian-based system, you can use the provided Debian package to
install `nsncd` to run under `systemd`. See `debian/README.source` for how to
build it - we use a few Rust crates that aren't packaged for stable Debian
Expand Down
11 changes: 11 additions & 0 deletions debian/postinst
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
#!/bin/sh -e
#DEBHELPER#

if ! getent group nsncd >/dev/null 2>&1; then
addgroup --system --quiet nsncd
fi
if ! getent passwd nsncd >/dev/null 2>&1; then
adduser --system --quiet --ingroup nsncd \
--no-create-home --home /nonexistent \
nsncd
fi
10 changes: 10 additions & 0 deletions nsncd.service
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,16 @@ Description=name-service non-caching daemon

[Service]
ExecStart=/usr/lib/nsncd
User=nsncd
Group=nsnccd
RemoveIPC=true
PrivateTmp=true
NoNewPrivileges=true
RestrictSUIDSGID=true
ProtectSystem=strict
ProtectHome=read-only
Restart=always
RuntimeDirectory=nscd
Restart=always
Type=notify

Expand Down
Loading