Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#57457 - [nss-pam-ldapd] Root writing to a dir owned by a user
Attached to Project:
Community Packages
Opened by Doug Newgard (Scimmia) - Saturday, 10 February 2018, 07:33 GMT
Last edited by Doug Newgard (Scimmia) - Wednesday, 14 February 2018, 00:28 GMT
Opened by Doug Newgard (Scimmia) - Saturday, 10 February 2018, 07:33 GMT
Last edited by Doug Newgard (Scimmia) - Wednesday, 14 February 2018, 00:28 GMT
|
DetailsThe tmpfiles entry in this package creates /run/nslcd/ as owned by nslcd:nslcd, but then the service files run the daemons as root, causing the PID files to be written as root to a dir owned by a user. This is a security risk and systemd has disabled this in the current version, but relaxed them a bit as too many daemons do the wrong thing here. See https://github.com/systemd/systemd/issues/8085
The service files should either be run as the user or the dir should be owned by root:root. |
This task depends upon
Closed by Doug Newgard (Scimmia)
Wednesday, 14 February 2018, 00:28 GMT
Reason for closing: Fixed
Additional comments about closing: nss-pam-ldapd 0.9.8-3
Wednesday, 14 February 2018, 00:28 GMT
Reason for closing: Fixed
Additional comments about closing: nss-pam-ldapd 0.9.8-3
To start the daemon as a user, you'd need User=nslcd in the .service file. Even if the daemon itself drops privileges, it does it too late for pid file creation.
Edit: Thinking about it, your solution of --nofork is probably the better choice anyway, there's no reason to fork the daemon into the background in a .service file.