nixpkgs/nixos/modules/services
Arian van Putten e712417936 nixos/nscd: Disable caching of group and passwd
Systemd provides an option for allocating DynamicUsers
which we want to use in NixOS to harden service configuration.
However, we discovered that the user wasn't allocated properly
for services. After some digging this turned out to be, of course,
a cache inconsistency problem.

When a DynamicUser creation is performed, Systemd check beforehand
whether the requested user already exists statically. If it does,
it bails out. If it doesn't, systemd continues with allocating the
user.

However, by checking whether the user exists,  nscd will store
the fact that the user does not exist in it's negative cache.
When the service tries to lookup what user is associated to its
uid (By calling whoami, for example), it will try to consult
libnss_systemd.so However this will read from the cache and tell
report that the user doesn't exist, and thus will return that
there is no user associated with the uid. It will continue
to do so for the cache duration time.  If the service
doesn't immediately looks up its username, this bug is not
triggered, as the cache will be invalidated around this time.
However, if the service is quick enough, it might end up
in a situation where it's incorrectly reported that the
user doesn't exist.

Preferably, we would not be using nscd at all. But we need to
use it because glibc reads  nss modules from /etc/nsswitch.conf
by looking relative to the global LD_LIBRARY_PATH.  Because LD_LIBRARY_PATH
is not set globally (as that would lead to impurities and ABI issues),
glibc will fail to find any nss modules.
Instead, as a hack, we start up nscd with LD_LIBRARY_PATH set
for only that service. Glibc will forward all nss syscalls to
nscd, which will then respect the LD_LIBRARY_PATH and only
read from locations specified in the NixOS config.
we can load nss modules in a pure fashion.

However, I think by accident, we just copied over the default
settings of nscd, which actually caches user and group lookups.
We already disable this when sssd is enabled, as this interferes
with the correct working of libnss_sss.so as it already
does its own caching of LDAP requests.
(See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/usingnscd-sssd)

Because nscd caching is now also interferring with libnss_systemd.so
and probably also with other nsss modules, lets just pre-emptively
disable caching for now for all options related to users and groups,
but keep it for caching hosts ans services lookups.

Note that we can not just put in /etc/nscd.conf:
enable-cache passwd no

As this will actually cause glibc to _not_ forward the call to nscd
at all, and thus never reach the nss modules. Instead we set
the negative and positive cache ttls  to 0 seconds as a workaround.
This way, Glibc will always forward requests to nscd, but results
will never be cached.

Fixes #50273
2018-12-12 15:35:40 +01:00
..
admin salt: Restart on config changes 2018-10-15 19:59:25 -07:00
amqp rabbitmq module: Update documentation after proofreading 2018-11-03 19:19:04 +01:00
audio nixos/mpd: allow storage plugins in musicDirectory 2018-08-03 21:36:38 +02:00
backup nixos/borgbackup: allow paths to be empty or relative (#51275) 2018-11-30 17:37:50 +01:00
cluster nixos/kubernetes: allow to disable clusterCidr 2018-11-26 16:36:30 +01:00
computing nixos/slurm: add extraConfigPaths options 2018-11-22 11:43:05 +01:00
continuous-integration nixos/jenkins-job-builder: add accessTokenFile option 2018-12-03 17:07:29 +01:00
databases Merge pull request #51314 from Izorkin/mariadb-my.cnf 2018-12-07 15:37:53 -05:00
desktops gnome3.gnome-remote-desktop: init at 0.1.6 2018-11-30 21:35:21 +01:00
development nixos/jupyter: wait for network.target 2018-11-06 20:40:20 +01:00
editors Treewide: use HTTPS on GNU domains 2018-12-02 15:51:59 +01:00
games nixos/minetest fix: add missing uid/gid for minetest 2018-11-11 12:47:09 +01:00
hardware nixos lirc: fix owner-ship of runtime directory 2018-12-08 14:37:02 +01:00
logging journaldriver: 1.0.0 -> 1.1.0 (#48106) 2018-10-09 23:45:43 +02:00
mail roundcube: apply code review suggestions 2018-11-28 18:53:37 +01:00
misc Merge pull request #48423 from charles-dyfis-net/bees 2018-12-02 18:38:47 +01:00
monitoring nixos/grafana: use new default for connMaxLifetime 2018-12-05 20:49:45 +01:00
network-filesystems Merge pull request #49736 from nh2/glusterfs-service-simple-unit-no-forking 2018-11-14 12:35:57 +01:00
networking Merge pull request #50809 from sorki/wireguard_containers_wont_modprobe 2018-12-07 11:06:28 +01:00
printing cups-googlecloudprint: init at 20160502 2018-10-11 09:19:58 +01:00
scheduling nixos/modules: users.(extraUsers|extraGroup->users|group) 2018-06-30 03:02:58 +02:00
search elk: 6.3.2 -> 6.5.1 2018-12-01 12:47:12 +01:00
security nixos/tor: add HiddenServiceVersion option 2018-11-23 20:53:02 +00:00
system nixos/nscd: Disable caching of group and passwd 2018-12-12 15:35:40 +01:00
torrent nixos/transmission: fix AppArmor profile to include keyutils 2018-08-31 17:19:29 +02:00
ttys nixos/kmscon: Add autologin option 2018-09-29 21:55:14 +02:00
web-apps quassel-webserver: remove 2018-12-07 16:46:36 +00:00
web-servers doc: Fix insecure nginx docs (#51840) 2018-12-11 11:02:56 +00:00
x11 nixos/displayManager: Note that sessionCommands aren't run on Wayland 2018-12-10 10:36:25 +01:00