mirror of
https://github.com/kanidm/kanidm.git
synced 2025-04-26 04:05:38 +02:00
b88b6923eb
The implementation of the unixd cache relies on inotify to detect changes to files in /etc so that we know when to reload the data for nss/passwd. However, the way that groupadd/del and other tools work is they copy the file, change it, and then move it into place. It turns out that william of the past didn't realise that inotify works on inodes not paths like other tools do (auditctl for example). As a result, when something modified /etc/group or another related file, the removal was seen, but this breaks notifications on any future change until you reload unixd. To resolve this we need to recursively watch /etc with inotify - yep, that's correct. We have to watch everything in /etc for changes because it's the only way to pick up on the add/remove of files. But because we have to watch everything, we need permissions to watch everything. This forces us to move the parsing of the etc passwd/group/shadow files to the unixd tasks daemon - arguably, this is the correct place to read these anyway since that is a high priv (and locked down) daemon. Because of this, we actually end up solving the missing "shadow" group on debian issue, and probably similar on the BSD's in future. In order to make my life easier while testing I also threw in a makefile that symlinks the files to needed locations for testing. It has plenty of warnings as it should. Fixes #3499 Fixes #3407 Fixes #3249
51 lines
1.5 KiB
Desktop File
51 lines
1.5 KiB
Desktop File
# You should not need to edit this file. Instead, use a drop-in file:
|
|
# systemctl edit kanidm-unixd.service
|
|
|
|
[Unit]
|
|
Description=Kanidm Local Client Resolver
|
|
After=chronyd.service nscd.service ntpd.service network-online.target suspend.target
|
|
Before=systemd-user-sessions.service sshd.service nss-user-lookup.target
|
|
Wants=nss-user-lookup.target
|
|
# While it seems confusing, we need to be after nscd.service so that the
|
|
# Conflicts will trigger and then automatically stop it.
|
|
Conflicts=nscd.service
|
|
|
|
[Service]
|
|
DynamicUser=yes
|
|
SupplementaryGroups=tss
|
|
UMask=0027
|
|
CacheDirectory=kanidm-unixd
|
|
RuntimeDirectory=kanidm-unixd
|
|
StateDirectory=kanidm-unixd
|
|
|
|
Type=notify
|
|
ExecStart=/usr/sbin/kanidm_unixd
|
|
|
|
## If you wish to setup an external HSM pin you should set:
|
|
# LoadCredential=hsmpin:/etc/kanidm/kanidm-unixd-hsm-pin
|
|
# Environment=KANIDM_HSM_PIN_PATH=%d/hsmpin
|
|
|
|
# Implied by dynamic user.
|
|
# ProtectHome=
|
|
# ProtectSystem=strict
|
|
# ReadWritePaths=/var/run/kanidm-unixd /var/cache/kanidm-unixd
|
|
|
|
# SystemCallFilter=@aio @basic-io @chown @file-system @io-event @network-io @sync
|
|
NoNewPrivileges=true
|
|
PrivateTmp=true
|
|
# We have to disable this to allow tpmrm0 access for tpm binding.
|
|
PrivateDevices=false
|
|
# Older versions of systemd require this to be explicitly allowed.
|
|
DeviceAllow=/dev/tpmrm0 rw
|
|
|
|
ProtectHostname=true
|
|
ProtectClock=true
|
|
ProtectKernelTunables=true
|
|
ProtectKernelModules=true
|
|
ProtectKernelLogs=true
|
|
ProtectControlGroups=true
|
|
MemoryDenyWriteExecute=true
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|