nsncd.service: run as non-root

This updates the nsncd.service systemd unit file to run nsncd as a `nscd` user and group, and enables sandboxing. Fixes twosigma#14.
morisja · Oct 6, 2024 · 584a49e · 584a49e
1 parent eadb46c
commit 584a49e
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -20,6 +20,10 @@ and mailing lists.
 Just run the `nsncd` binary and it will listen at `/var/run/nscd/socket`.
 There's a simple `systemd` unit file, too.
 
+It will run `nsncd` as the `nscd` user and group, and apply some sandboxing.
+It also relies on the systemd `RuntimeDirectory=` functionality to create the
+directory at `/var/run/nscd` with appropriate permissions.
+
 If you're on a Debian-based system, you can use the provided Debian package to
 install `nsncd` to run under `systemd`. See `debian/README.source` for how to
 build it - we use a few Rust crates that aren't packaged for stable Debian

diff --git a/nsncd.service b/nsncd.service
@@ -17,6 +17,16 @@ Description=name-service non-caching daemon
 
 [Service]
 ExecStart=/usr/lib/nsncd
+User=nscd
+Group=nscd
+RemoveIPC=true
+PrivateTmp=true
+NoNewPrivileges=true
+RestrictSUIDSGID=true
+ProtectSystem=strict
+ProtectHome=read-only
+Restart=always
+RuntimeDirectory=nscd
 Restart=always
 Type=notify