systemd/units/systemd-userdbd.service.in

#  SPDX-License-Identifier: LGPL-2.1-or-later
#
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.

[Unit]
Description=User Database Manager
Documentation=man:systemd-userdbd.service(8)
Requires=systemd-userdbd.socket
After=systemd-userdbd.socket
Before=sysinit.target
DefaultDependencies=no

[Service]
CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_RESOURCE
ExecStart={{LIBEXECDIR}}/systemd-userdbd
IPAddressDeny=any
LimitNOFILE={{HIGH_RLIMIT_NOFILE}}
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
ProtectProc=invisible
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectSystem=strict
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service
Type=notify
{{SERVICE_WATCHDOG}}

[Install]
Also=systemd-userdbd.socket
license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 07:23:58 +03:00			`# SPDX-License-Identifier: LGPL-2.1-or-later`
userdbd: add new service that can merge userdb queries from multiple clients 2019-07-04 19:33:30 +03:00			`#`
			`# This file is part of systemd.`
			`#`
			`# systemd is free software; you can redistribute it and/or modify it`
			`# under the terms of the GNU Lesser General Public License as published by`
			`# the Free Software Foundation; either version 2.1 of the License, or`
			`# (at your option) any later version.`

			`[Unit]`
			`Description=User Database Manager`
			`Documentation=man:systemd-userdbd.service(8)`
			`Requires=systemd-userdbd.socket`
Revert "userdbd: Order systemd-userdbd.service after systemd-remount-fs.service" This reverts commit 9dd88582813b6dbeea6ce336f70cae681e6cbfc6. 2023-09-05 11:17:41 +03:00			`After=systemd-userdbd.socket`
userdbd: add new service that can merge userdb queries from multiple clients 2019-07-04 19:33:30 +03:00			`Before=sysinit.target`
			`DefaultDependencies=no`

			`[Service]`
units: allow systemd-userdbd to change process name rename_process() requires CAP_SYS_RESOURCE so let's make sure it is in our permitted set after execve() by adding in to the bounding set. Previously, systemd-userdbd.service - User Database Manager Loaded: loaded (/usr/lib/systemd/system/systemd-userdbd.service; indirect; preset: disabled) Active: active (running) since Mon 2022-12-19 17:07:21 CET; 17min ago TriggeredBy: ● systemd-userdbd.socket Docs: man:systemd-userdbd.service(8) Main PID: 1880 (systemd-userdbd) Status: "Processing requests..." Tasks: 4 (limit: 2272) Memory: 5.2M CPU: 244ms CGroup: /system.slice/systemd-userdbd.service ├─1880 /usr/lib/systemd/systemd-userdbd ├─2270 systemd-userwork ├─2271 systemd-userwork └─2272 systemd-userwork Now, Loaded: loaded (/usr/lib/systemd/system/systemd-userdbd.service; indirect; preset: disabled) Active: active (running) since Mon 2022-12-19 17:27:02 CET; 15s ago TriggeredBy: ● systemd-userdbd.socket Docs: man:systemd-userdbd.service(8) Main PID: 2404 (systemd-userdbd) Status: "Processing requests..." Tasks: 4 (limit: 2272) Memory: 5.5M CPU: 89ms CGroup: /system.slice/systemd-userdbd.service ├─2404 /usr/lib/systemd/systemd-userdbd ├─2407 "systemd-userwork: waiting..." ├─2408 "systemd-userwork: waiting..." └─2409 "systemd-userwork: waiting..." 2022-12-19 19:58:49 +03:00			`CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_RESOURCE`
Drop split-usr and unmerged-usr support As previously announced, execute order 66: https://lists.freedesktop.org/archives/systemd-devel/2022-September/048352.html The meson options split-usr, rootlibdir and rootprefix become no-ops that print a warning if they are set to anything other than the default values. We can remove them in a future release. 2023-06-12 04:15:19 +03:00			`ExecStart={{LIBEXECDIR}}/systemd-userdbd`
userdbd: add new service that can merge userdb queries from multiple clients 2019-07-04 19:33:30 +03:00			`IPAddressDeny=any`
meson: use jinja2 for unit templates We don't need two (and half) templating systems anymore, yay! I'm keeping the changes minimal, to make the diff manageable. Some enhancements due to a better templating system might be possible in the future. For handling of '## ' — see the next commit. 2021-05-16 12:55:36 +03:00			`LimitNOFILE={{HIGH_RLIMIT_NOFILE}}`
userdbd: add new service that can merge userdb queries from multiple clients 2019-07-04 19:33:30 +03:00			`LockPersonality=yes`
			`MemoryDenyWriteExecute=yes`
			`NoNewPrivileges=yes`
			`PrivateDevices=yes`
units: turn on ProtectProc= wherever suitable 2020-08-06 15:50:38 +03:00			`ProtectProc=invisible`
userdbd: add new service that can merge userdb queries from multiple clients 2019-07-04 19:33:30 +03:00			`ProtectControlGroups=yes`
			`ProtectHome=yes`
			`ProtectHostname=yes`
			`ProtectKernelLogs=yes`
			`ProtectKernelModules=yes`
			`ProtectSystem=strict`
			`RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6`
			`RestrictNamespaces=yes`
			`RestrictRealtime=yes`
			`RestrictSUIDSGID=yes`
			`SystemCallArchitectures=native`
			`SystemCallErrorNumber=EPERM`
			`SystemCallFilter=@system-service`
			`Type=notify`
meson: use jinja2 for unit templates We don't need two (and half) templating systems anymore, yay! I'm keeping the changes minimal, to make the diff manageable. Some enhancements due to a better templating system might be possible in the future. For handling of '## ' — see the next commit. 2021-05-16 12:55:36 +03:00			`{{SERVICE_WATCHDOG}}`
units: make systemd-userdbd.{socket,service} installable It's lightweight and generally useful, so it should be enabled by default. But users might want to disable it for whatever reason, and things should be fine without it, so let's make it installable so it can be disabled if wanted. Fixes #15175. 2020-03-13 20:40:54 +03:00
			`[Install]`
			`Also=systemd-userdbd.socket`