From 98672296968c1852754a6bb9993242420613e02c Mon Sep 17 00:00:00 2001 From: Minijackson Date: Thu, 26 Jun 2025 12:56:21 +0200 Subject: [PATCH 1/2] nixos/sssd: add upstream directives in sssd.service Changed the service type from forking to notify, which should gives a better indication of when the service is ready. Changed the preStart into an ExecStart, in order for upstream's NotifyAccess=main to work. Added Restart=on-abnormal for better service stability. --- nixos/modules/services/misc/sssd.nix | 32 ++++++++++++++++++++++------ 1 file changed, 25 insertions(+), 7 deletions(-) diff --git a/nixos/modules/services/misc/sssd.nix b/nixos/modules/services/misc/sssd.nix index babc76621a0f..7edb7a79109c 100644 --- a/nixos/modules/services/misc/sssd.nix +++ b/nixos/modules/services/misc/sssd.nix @@ -6,7 +6,6 @@ }: let cfg = config.services.sssd; - nscd = config.services.nscd; dataDir = "/var/lib/sssd"; settingsFile = "${dataDir}/sssd.conf"; @@ -106,18 +105,36 @@ in config.environment.etc."nscd.conf".source settingsFileUnsubstituted ]; - script = '' - export LDB_MODULES_PATH+="''${LDB_MODULES_PATH+:}${pkgs.ldb}/modules/ldb:${pkgs.sssd}/modules/ldb" - mkdir -p /var/lib/sss/{pubconf,db,mc,pipes,gpo_cache,secrets} /var/lib/sss/pipes/private /var/lib/sss/pubconf/krb5.include.d - ${pkgs.sssd}/bin/sssd -D -c ${settingsFile} - ''; + environment.LDB_MODULES_PATH = "${pkgs.ldb}/modules/ldb:${pkgs.sssd}/modules/ldb"; serviceConfig = { - Type = "forking"; + # systemd needs to start sssd directly for "NotifyAccess=main" to work + ExecStart = "${pkgs.sssd}/bin/sssd -i -c ${settingsFile}"; + Type = "notify"; + NotifyAccess = "main"; PIDFile = "/run/sssd.pid"; + CapabilityBoundingSet = [ + "CAP_IPC_LOCK" + "CAP_CHOWN" + "CAP_DAC_READ_SEARCH" + "CAP_KILL" + "CAP_NET_ADMIN" + "CAP_SYS_NICE" + "CAP_FOWNER" + "CAP_SETGID" + "CAP_SETUID" + "CAP_SYS_ADMIN" + "CAP_SYS_RESOURCE" + "CAP_BLOCK_SUSPEND" + ]; + Restart = "on-abnormal"; StateDirectory = baseNameOf dataDir; # We cannot use LoadCredential here because it's not available in ExecStartPre EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile; }; + unitConfig = { + StartLimitIntervalSec = "50s"; + StartLimitBurst = 5; + }; preStart = '' mkdir -p "${dataDir}/conf.d" [ -f ${settingsFile} ] && rm -f ${settingsFile} @@ -127,6 +144,7 @@ in -o ${settingsFile} \ -i ${settingsFileUnsubstituted} umask $old_umask + mkdir -p /var/lib/sss/{pubconf,db,mc,pipes,gpo_cache,secrets} /var/lib/sss/pipes/private /var/lib/sss/pubconf/krb5.include.d ''; }; From 4e40f1c79e5a9939c170a666ce43b695dee0460a Mon Sep 17 00:00:00 2001 From: Minijackson Date: Thu, 26 Jun 2025 13:17:09 +0200 Subject: [PATCH 2/2] nixos/sssd: add upstream hardening options in sssd-kcm.service --- nixos/modules/services/misc/sssd.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/nixos/modules/services/misc/sssd.nix b/nixos/modules/services/misc/sssd.nix index 7edb7a79109c..284b2972d300 100644 --- a/nixos/modules/services/misc/sssd.nix +++ b/nixos/modules/services/misc/sssd.nix @@ -165,6 +165,14 @@ in serviceConfig = { ExecStartPre = "-${pkgs.sssd}/bin/sssd --genconf-section=kcm"; ExecStart = "${pkgs.sssd}/libexec/sssd/sssd_kcm --uid 0 --gid 0"; + CapabilityBoundingSet = [ + "CAP_IPC_LOCK" + "CAP_CHOWN" + "CAP_DAC_READ_SEARCH" + "CAP_FOWNER" + "CAP_SETGID" + "CAP_SETUID" + ]; }; restartTriggers = [ settingsFileUnsubstituted