From: Don Armstrong <don@donarmstrong.com>
Date: Tue, 22 Oct 2013 00:03:15 +0000 (-0700)
Subject: * Use saner settings in nscd.conf; thanks to Harald Dunkel (Closes:
X-Git-Tag: debian/0.51-1~1
X-Git-Url: https://git.donarmstrong.com/unscd.git?a=commitdiff_plain;h=196f930e9acf0652209d3454da8d6597061f71dd;p=unscd.git

* Use saner settings in nscd.conf; thanks to Harald Dunkel (Closes:
  #702211).
* Run unscd as the unscd user instead of root by default
---

diff --git a/debian/changelog b/debian/changelog
index c305333..da3313e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,8 +4,11 @@ unscd (0.51-1) unstable; urgency=low
   * Silence the cache invalidation output (Closes: #622230)
   * Update to debhelper 9
   * Support at least INT_MAX numbers in config (Closes: #676689)
+  * Use saner settings in nscd.conf; thanks to Harald Dunkel (Closes:
+    #702211).
+  * Run unscd as the unscd user instead of root by default
 
- -- Don Armstrong <don@debian.org>  Mon, 21 Oct 2013 16:04:54 -0700
+ -- Don Armstrong <don@debian.org>  Mon, 21 Oct 2013 17:02:22 -0700
 
 unscd (0.49-1) unstable; urgency=low
 
diff --git a/debian/nscd.conf b/debian/nscd.conf
index aa35af9..fe77d05 100644
--- a/debian/nscd.conf
+++ b/debian/nscd.conf
@@ -28,45 +28,38 @@
 #	auto-propagate		<service> (ignored)
 #
 # Currently supported cache names (services): passwd, group, hosts
-#
 
 
-#	logfile			/var/log/nscd.log
-#	threads			4
-#	max-threads		32
-#	server-user		nobody
-#	stat-user		somebody
-	debug-level		0
-#	reload-count		5
-	paranoia		no
-#	restart-interval	3600
 
-	enable-cache		passwd		yes
-	positive-time-to-live	passwd		600
-	negative-time-to-live	passwd		20
-	suggested-size		passwd		211
-	check-files		passwd		yes
-	persistent		passwd		yes
-	shared			passwd		yes
-	auto-propagate		passwd		yes
+# logfile /var/log/nscd.log
+# threads 14
+# max-threads 32
+server-user unscd
+debug-level 0
+
+enable-cache            passwd  yes
+positive-time-to-live   passwd  600
+negative-time-to-live   passwd  20
+suggested-size          passwd  1001
+check-files             passwd  yes
 
-	enable-cache		group		yes
-	positive-time-to-live	group		3600
-	negative-time-to-live	group		60
-	suggested-size		group		211
-	check-files		group		yes
-	persistent		group		yes
-	shared			group		yes
-	auto-propagate		group		yes
+enable-cache            group   yes
+positive-time-to-live   group   3600
+negative-time-to-live   group   60
+suggested-size          group   1001
+check-files             group   yes
 
 # hosts caching is broken with gethostby* calls, hence is now disabled
-# per default.  See /usr/share/doc/nscd/NEWS.Debian.
-	enable-cache		hosts		no
-	positive-time-to-live	hosts		3600
-	negative-time-to-live	hosts		20
-	suggested-size		hosts		211
-	check-files		hosts		yes
-	persistent		hosts		yes
-	shared			hosts		yes
+# by default. Specifically, the caching does not obey DNS TTLs, and
+# thus could lead to problems if the positive-time-to-live is
+# significantly larger than the actual TTL.
+#
+# You should really use a caching nameserver instead of nscd for this
+# sort of request. However, you can easily re-enable this by default.
+enable-cache            hosts   no
+positive-time-to-live   hosts   3600
+negative-time-to-live   hosts   20
+suggested-size	        hosts   1001
+check-files             hosts   yes
 
 # unscd does not support services caching
diff --git a/debian/unscd.postinst b/debian/unscd.postinst
new file mode 100644
index 0000000..6340bc0
--- /dev/null
+++ b/debian/unscd.postinst
@@ -0,0 +1,22 @@
+set -e
+
+case "$1" in
+    configure)
+        # Create the unscd user
+	    if [ -x /usr/sbin/adduser ] && [ -x /usr/bin/getent ] && [ -x /usr/sbin/addgroup ]; then
+	        if ! getent group unscd >/dev/null 2>&1; then
+		        addgroup --system unscd;
+	        fi;
+	        if ! id -u unscd >/dev/null 2>&1; then
+		        adduser --quiet --system --ingroup unscd --no-create-home --home /var/lib/unscd unscd;
+	        fi;
+	    fi;
+	    ;;
+    *)
+	    # do nothing
+	    ;;
+esac
+
+###DEBHELPER###
+
+exit 0;