Noah Meyerhans <no...@debian.org> writes: > Control: tags -1 + moreinfo > > On Sat, Nov 19, 2022 at 10:23:12AM -0500, Michael Welsh Duggan wrote: >> The addition of the >> >> ProtectSystem=full >> >> clause to the spamd service module prevents spamd from writing to user >> bayes files. Here is a log from spamd: > > Hi Michael. Per the systemd documentation on the ProtectSystem setting: > > Takes a boolean argument or the special values "full" or > "strict". If true, mounts the /usr/ and the boot loader > directories (/boot and /efi) read-only for processes invoked by > this unit. If set to "full", the /etc/ directory is mounted > read-only, too. > > Access to /home is not restricted by this setting. Is /home on your > system a symlink or otherwise not actually located at /home?
Ah, all becomes clear. The system that I eventually converted over to my mail server (over 12 years old) symlinked /home to /usr/local/home. This is because / was on a fairly small SSD and /usr was on spinning disk. I had managed to forget that and overlook what it meant in the context of the ProtectSystem setting. As such, I now think that my system deviates enough from the norm that the fact that I have to make manual adjustments to the systemd unit is only fair. Thanks for looking into this. -- Michael Welsh Duggan (m...@md5i.com)
