Commit Graph

162510 Commits

Author SHA1 Message Date
Arian van Putten
e712417936 nixos/nscd: Disable caching of group and passwd
Systemd provides an option for allocating DynamicUsers
which we want to use in NixOS to harden service configuration.
However, we discovered that the user wasn't allocated properly
for services. After some digging this turned out to be, of course,
a cache inconsistency problem.

When a DynamicUser creation is performed, Systemd check beforehand
whether the requested user already exists statically. If it does,
it bails out. If it doesn't, systemd continues with allocating the
user.

However, by checking whether the user exists,  nscd will store
the fact that the user does not exist in it's negative cache.
When the service tries to lookup what user is associated to its
uid (By calling whoami, for example), it will try to consult
libnss_systemd.so However this will read from the cache and tell
report that the user doesn't exist, and thus will return that
there is no user associated with the uid. It will continue
to do so for the cache duration time.  If the service
doesn't immediately looks up its username, this bug is not
triggered, as the cache will be invalidated around this time.
However, if the service is quick enough, it might end up
in a situation where it's incorrectly reported that the
user doesn't exist.

Preferably, we would not be using nscd at all. But we need to
use it because glibc reads  nss modules from /etc/nsswitch.conf
by looking relative to the global LD_LIBRARY_PATH.  Because LD_LIBRARY_PATH
is not set globally (as that would lead to impurities and ABI issues),
glibc will fail to find any nss modules.
Instead, as a hack, we start up nscd with LD_LIBRARY_PATH set
for only that service. Glibc will forward all nss syscalls to
nscd, which will then respect the LD_LIBRARY_PATH and only
read from locations specified in the NixOS config.
we can load nss modules in a pure fashion.

However, I think by accident, we just copied over the default
settings of nscd, which actually caches user and group lookups.
We already disable this when sssd is enabled, as this interferes
with the correct working of libnss_sss.so as it already
does its own caching of LDAP requests.
(See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/usingnscd-sssd)

Because nscd caching is now also interferring with libnss_systemd.so
and probably also with other nsss modules, lets just pre-emptively
disable caching for now for all options related to users and groups,
but keep it for caching hosts ans services lookups.

Note that we can not just put in /etc/nscd.conf:
enable-cache passwd no

As this will actually cause glibc to _not_ forward the call to nscd
at all, and thus never reach the nss modules. Instead we set
the negative and positive cache ttls  to 0 seconds as a workaround.
This way, Glibc will always forward requests to nscd, but results
will never be cached.

Fixes #50273
2018-12-12 15:35:40 +01:00
Arian van Putten
eb88005130 nixos/systemd: Add a regression test for #50273 2018-12-12 15:35:39 +01:00
edef
f9b0781938 doh-proxy: stick with Python 3.6 for now
It currently breaks on Python 3.7 due to `async` becoming a reserved keyword
2018-12-12 13:02:53 +00:00
Gabriel Ebner
c556e6f1f4 notmuch: use python 3
Fixes #51822
2018-12-12 13:32:35 +01:00
Gabriel Ebner
a9d7a31817 alot: 0.7 -> 0.8 2018-12-12 13:31:32 +01:00
Gabriel Ebner
890bee19c5 pythonPackages.gpgme: support python 3 2018-12-12 13:30:52 +01:00
edef
fdd566cf0b
Merge pull request #51908 from rawkode/feature/lxrandr
lxrandr: init at 0.3.1
2018-12-12 12:18:03 +00:00
edef
e10f8471d1
Merge pull request #51650 from gnidorah/me_cleaner
me_cleaner: init at 1.2
2018-12-12 12:15:57 +00:00
Michael Weiss
e12009f390 tdesktop: 1.4.3 -> 1.5.1
tdesktopPackages.preview: 1.4.8 -> 1.5.1
2018-12-12 12:28:34 +01:00
David McKay
125ad34dc8 lxrandr: init at 0.3.1 2018-12-12 11:25:45 +00:00
Andreas Rammhold
ccd160023c
firefox: 63.0.3 -> 64.0
See #51863.
2018-12-12 11:27:23 +01:00
Vincent Laporte
ee843ee86e ocamlPackages.ppx_import: 1.5 -> 1.5-3 2018-12-12 09:34:38 +00:00
Vincent Laporte
47c4876de6 ocamlPackages.ppx_deriving_yojson: disable tests 2018-12-12 09:34:38 +00:00
worldofpeace
d9eadb4aa7
Merge pull request #51472 from Ralith/renderdoc
renderdoc: 1.1 -> 1.2
2018-12-12 04:25:02 -05:00
Alyssa Ross
812805110b
Merge pull request #51887 from AtnNn/ikos
ikos: init at 2.1
2018-12-12 09:06:36 +00:00
Jörg Thalheim
abbd29aa13
Merge pull request #51782 from rnhmjoj/monero
monero: build with hidapi
2018-12-12 09:00:17 +00:00
Jörg Thalheim
8e3b400b45
Merge pull request #51876 from Mic92/go-cleanup
Go cleanup: use buildGoPackage whenever possible
2018-12-12 08:56:21 +00:00
Sarah Brofeldt
27cd05e674
Merge pull request #51750 from MarcFontaine/master
haskellPackages.binary-parsers : disable tests
2018-12-12 09:45:50 +01:00
Sarah Brofeldt
89aa19c95a
Merge pull request #51868 from yrashk/luigi-2.8.0
luigi: 2.7.9 -> 2.8.0
2018-12-12 09:40:53 +01:00
worldofpeace
0c4ac2fa26 eolie: ensure search provider is wrapped properly
wrapPythonPrograms ignores libexec/
Also do it before wrapGAppsHook sets in
2018-12-12 03:28:59 -05:00
worldofpeace
af2caa441f eolie: don't use pythonPath 2018-12-12 03:26:24 -05:00
Jörg Thalheim
1933e8be0d
Merge pull request #51886 from Mic92/zfs-python3
zfs: switch to python3
2018-12-12 08:11:46 +00:00
worldofpeace
c17ed110eb lollypop: don't use pythonPath 2018-12-12 03:08:56 -05:00
Darius Jahandarie
da84602f61 buildRustCrate: fix extraRustcOpts so it is not discarded 2018-12-12 01:21:46 -06:00
worldofpeace
d36846d367
Merge pull request #51663 from erictapen/cytoolz-fix-build
python3Packages.cytoolz: fix build
2018-12-12 01:48:46 -05:00
Matthew Bauer
465a5e1d97
Merge pull request #51880 from matthewbauer/simavr-mac
simavr: work on macOS
2018-12-11 20:36:58 -06:00
Alexey Shmalko
22972fc875
Merge pull request #51757 from r-ryantm/auto-update/yquake2
yquake2: 7.20 -> 7.30
2018-12-12 03:46:42 +02:00
Etienne Laurin
328fbcff60 ikos: init at 2.1 2018-12-12 00:09:24 +00:00
Vladimír Čunát
ad3e9191d1
nixos/nvidia: improve the assertion again
/cc ac19d5e34 #51836.
2018-12-12 00:26:09 +01:00
Andreas Rammhold
536d0cc3a7
firefox-bin: 63.0.3 -> 64.0
See #51863.
2018-12-12 00:26:03 +01:00
Andreas Rammhold
d16d0b3762
firefox-esr-60: 60.3.0esr -> 60.4.0esr
See #51863.
2018-12-12 00:25:57 +01:00
Andreas Rammhold
783dc61f68
firefox: updated common.nix to support ffx64
See #51863.
2018-12-12 00:25:33 +01:00
Daiderd Jordan
78c0253521
Merge pull request #51879 from ejpcmac/update-erlangR21
erlangR21: 21.1.3 -> 21.2
2018-12-11 23:22:37 +01:00
adisbladis
e1e1e7ce9a
firefox-beta-bin: 64.0b14 -> 65.0b3 2018-12-11 22:10:49 +00:00
adisbladis
2f08806ee6
firefox-devedition-bin: 65.0b1 -> 65.0b3 2018-12-11 22:10:43 +00:00
Jörg Thalheim
26572ea27d
xurls: 1.1.0 -> 2.0.0 2018-12-11 22:08:11 +00:00
Jörg Thalheim
56fdf7a296
acbuild: remove
Project is unmaintained. The project page propose alternatives:

https://github.com/containers/build#this-project-is-currently-unmaintained
2018-12-11 22:08:11 +00:00
Jörg Thalheim
c054af4e58
filegive: use buildGoPackage 2018-12-11 22:08:05 +00:00
Benjamin Staffin
1181d6153e
logind: make killUserProcesses an option (#51426)
Right now it's not at all obvious that one can override this option
using `services.logind.extraConfig`; we might as well add an option
for `killUserProcesses` directly so it's clear and documented.
2018-12-11 16:51:16 -05:00
markuskowa
3be43b7483
Merge pull request #51878 from ambrop72/vbox-extpack-hash-fix
vboxExtpack: Fix the sha256 to be hex.
2018-12-11 22:40:09 +01:00
Jörg Thalheim
3bde31f140
zfs: switch to python3 2018-12-11 21:32:25 +00:00
Vladimír Čunát
ac19d5e34f
Merge #51836: nixos/nvidia: fix inverted assertion 2018-12-11 21:41:20 +01:00
Matthew Bauer
79e886a61b simavr: work on macOS 2018-12-11 14:40:48 -06:00
Jean-Philippe Cugnet
08e7fe7cb9
erlangR21: 21.1.3 -> 21.2 2018-12-11 21:14:40 +01:00
Ambroz Bizjak
22acb2e3c3 vboxExtpack: Fix the sha256 to be hex.
It does not work if the sha256 is not hex, it fails because VBoxExtPackHelperApp requires to be given a hex hash.
See https://github.com/NixOS/nixpkgs/issues/34846 where the same problem was fixed some time ago.
2018-12-11 20:47:36 +01:00
Franz Pletz
10d9fe7d38
Merge pull request #51738 from Izorkin/php73
php: update php packages
2018-12-11 19:38:42 +00:00
Izorkin
3c15573712
phpPackages.couchbase: 2.3.4 -> 2.6.0 2018-12-11 20:11:36 +01:00
Izorkin
72b3ceaa2f
phpPackages.memcached: fix build with php73 2018-12-11 20:11:35 +01:00
Izorkin
43b2734f53
phpPackages.xdebug: fix build with php73 2018-12-11 20:11:35 +01:00
Izorkin
b0b623e034
phpPackages: disable build with php73 2018-12-11 20:11:34 +01:00