userdbd: add new service that can merge userdb queries from multiple clients

3 files changed, 63 insertions, 0 deletions

diff --git a/units/meson.build b/units/meson.build
index 4ad64d12f2..82c399bee8 100644
--- a/units/meson.build
+++ b/units/meson.build
@@ -96,6 +96,8 @@ units = [
          'sockets.target.wants/'],
         ['systemd-journald.socket',             '',
          'sockets.target.wants/'],
+        ['systemd-userdbd.socket',              'ENABLE_USERDB',
+         'sockets.target.wants/'],
         ['systemd-networkd.socket',             'ENABLE_NETWORKD'],
         ['systemd-poweroff.service',             ''],
         ['systemd-reboot.service',               ''],
@@ -182,6 +184,7 @@ in_units = [
         ['systemd-nspawn@.service',              ''],
         ['systemd-portabled.service',            'ENABLE_PORTABLED',
          'dbus-org.freedesktop.portable1.service'],
+        ['systemd-userdbd.service',              'ENABLE_USERDB'],
         ['systemd-quotacheck.service',           'ENABLE_QUOTACHECK'],
         ['systemd-random-seed.service',          'ENABLE_RANDOMSEED',
          'sysinit.target.wants/'],
diff --git a/units/systemd-userdbd.service.in b/units/systemd-userdbd.service.in
new file mode 100644
index 0000000000..e30ed2109e
--- /dev/null
+++ b/units/systemd-userdbd.service.in
@@ -0,0 +1,41 @@
+#  SPDX-License-Identifier: LGPL-2.1+
+#
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+
+[Unit]
+Description=User Database Manager
+Documentation=man:systemd-userdbd.service(8)
+Requires=systemd-userdbd.socket
+After=systemd-userdbd.socket
+Before=sysinit.target
+DefaultDependencies=no
+
+[Service]
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH
+ExecStart=@rootlibexecdir@/systemd-userdbd
+IPAddressDeny=any
+LimitNOFILE=@HIGH_RLIMIT_NOFILE@
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectSystem=strict
+RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+Type=notify
+@SERVICE_WATCHDOG@
diff --git a/units/systemd-userdbd.socket b/units/systemd-userdbd.socket
new file mode 100644
index 0000000000..1c749ea1d2
--- /dev/null
+++ b/units/systemd-userdbd.socket
@@ -0,0 +1,19 @@
+#  SPDX-License-Identifier: LGPL-2.1+
+#
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+
+[Unit]
+Description=User Database Manager Socket
+Documentation=man:systemd-userdbd.service(8)
+DefaultDependencies=no
+Before=sockets.target
+
+[Socket]
+ListenStream=/run/systemd/userdb/io.systemd.Multiplexer
+Symlinks=/run/systemd/userdb/io.systemd.NameServiceSwitch
+SocketMode=0666