From 584a49e6d9d93697ba8ab61e77864f87b7593749 Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Tue, 23 Apr 2024 16:06:30 +0300 Subject: [PATCH] nsncd.service: run as non-root This updates the nsncd.service systemd unit file to run nsncd as a `nscd` user and group, and enables sandboxing. Fixes #14. --- README.md | 4 ++++ nsncd.service | 10 ++++++++++ 2 files changed, 14 insertions(+) diff --git a/README.md b/README.md index 83351f7..6715c8b 100644 --- a/README.md +++ b/README.md @@ -20,6 +20,10 @@ and mailing lists. Just run the `nsncd` binary and it will listen at `/var/run/nscd/socket`. There's a simple `systemd` unit file, too. +It will run `nsncd` as the `nscd` user and group, and apply some sandboxing. +It also relies on the systemd `RuntimeDirectory=` functionality to create the +directory at `/var/run/nscd` with appropriate permissions. + If you're on a Debian-based system, you can use the provided Debian package to install `nsncd` to run under `systemd`. See `debian/README.source` for how to build it - we use a few Rust crates that aren't packaged for stable Debian diff --git a/nsncd.service b/nsncd.service index 99af01d..cc95625 100644 --- a/nsncd.service +++ b/nsncd.service @@ -17,6 +17,16 @@ Description=name-service non-caching daemon [Service] ExecStart=/usr/lib/nsncd +User=nscd +Group=nscd +RemoveIPC=true +PrivateTmp=true +NoNewPrivileges=true +RestrictSUIDSGID=true +ProtectSystem=strict +ProtectHome=read-only +Restart=always +RuntimeDirectory=nscd Restart=always Type=notify