nixos/nscd: document why it is configured this way

2019-07-12 12:07:45 -07:00 · 2019-07-12 12:07:45 -07:00 · d79584c902
commit d79584c902
parent f7c776760b
1 changed files with 6 additions and 0 deletions
--- a/nixos/modules/services/system/nscd.nix
+++ b/nixos/modules/services/system/nscd.nix
@ -52,6 +52,12 @@ in
          config.environment.etc."nscd.conf".source
        ];

+        # We use DynamicUser because in default configurations nscd doesn't
+        # create any files that need to survive restarts. However, in some
+        # configurations, nscd needs to be started as root; it will drop
+        # privileges after all the NSS modules have read their configuration
+        # files. So prefix the ExecStart command with "!" to prevent systemd
+        # from dropping privileges early. See ExecStart in systemd.service(5).
        serviceConfig =
          { ExecStart = "!@${pkgs.glibc.bin}/sbin/nscd nscd";
            Type = "forking";