Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable the nss-systemd service #8705

Draft
wants to merge 2 commits into
base: master
Choose a base branch
from
Draft

Enable the nss-systemd service #8705

wants to merge 2 commits into from

Conversation

heitbaum
Copy link
Contributor

@heitbaum heitbaum commented Mar 7, 2024

Details of the nss-systemd service

Background

Updated addon component nqptp which previously dropped root privileges has been changed to use CAP_NET_BIND_SERVICE functionality in systemd. Instead of creating a user/group in /etc/passwd use the DynamicUser systemd functionality. This functionality is independent of the nss-systemd service - but to allow user/group resolution - the nss-systemd service is required.

Example status of systemd service using DynamicUser

nuc12:~ # systemctl status service.nqptp
● nqptp.service - NQPTP -- Not Quite PTP
     Loaded: loaded (/storage/.config/system.d/nqptp.service; linked; preset: disabled)
     Active: active (running) since Tue 2024-03-05 09:30:38 UTC; 2 days ago
   Main PID: 3698 (nqptp)
      Tasks: 1 (limit: 37511)
     Memory: 236.0K (peak: 340.0K)
        CPU: 16min 49.603s
     CGroup: /system.slice/nqptp.service
             └─3698 /storage/.kodi/addons/service.nqptp/bin/nqptp

Mar 05 09:30:38 nuc12 systemd[1]: Started nqptp.service.

DynamicUser process (without nss-systemd)

nuc12:~ # ps -ef | grep nqptp
 3698 62946    16:49 /storage/.kodi/addons/service.nqptp/bin/nqptp

DynamicUser process (with nss-systemd)

nuc12:~ # ps -ef | grep nqptp
 3698 nqptp     16:49 /storage/.kodi/addons/service.nqptp/bin/nqptp

Example systemd service using DynamicUser

nuc12:~ # cat .config/system.d/service.nqptp.service 
[Unit]
Description=NQPTP -- Not Quite PTP
Wants=network-online.target
After=network.target network-online.target

[Service]
ExecStart=/storage/.kodi/addons/service.nqptp/bin/nqptp
DynamicUser=yes
User=nqptp
Group=nqptp
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]                   
WantedBy=kodi.target

@heitbaum
nss-mdns: enable systemd-userdbd
7106b64
@heitbaum
systemd: enable systemd-userdbd and nss-systemd for users and groups
0fc794d 
new files:
-rwxr-xr-x 1 root root  39152 Mar  5 09:41 /usr/bin/userdbctl
-rwxr-xr-x 1 root root 404000 Mar  5 09:41 /usr/lib/libnss_systemd.so.2
-rwxr-xr-x 1 root root  18504 Mar  5 09:41 /usr/lib/systemd/systemd-userdbd
-rwxr-xr-x 1 root root  22600 Mar  5 09:41 /usr/lib/systemd/systemd-userwork
-rw-r--r-- 1 root root   1204 Mar  5 09:41 /usr/lib/systemd/system/systemd-userdbd.service
-rw-r--r-- 1 root root    691 Feb 27 17:26 /usr/lib/systemd/system/systemd-userdbd.socket
@CvH CvH added LE 13.0 and removed LE 12.0 labels Mar 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
FEATURE IMPROVEMENT LE 13.0 PACKAGE
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@heitbaum @CvH