Control: reassign -1 mon 1.4.1-1 Control: retitle -1 mon: systemd service hardening too tight for invoking exim
On 2024-10-07 "Marc F. Clemente" <m...@mclemente.net> wrote: > On 10/6/24 06:27, Andreas Metzler wrote: >> On 2024-09-24 "Marc F. Clemente via Pkg-exim4-maintainers" >> <pkg-exim4-maintain...@alioth-lists.debian.net> wrote: >>> Package: exim4-daemon-light >>> Version: 4.98-1 >>> Severity: minor >>> I run exim (exim4-daemon-light) on several machines with nearly identical >>> setup. These are configured as "mail sent by smarthost; no local mail" >>> (satellite). >>> This one particular machine has been giving me these errors since 1 August. >>> These errors occur when "mon" sends an email (using sendmail which is >>> exim4-daemon-light). This does not happen all the time, and I cannot figure >>> out what is causing it to happen. This is a regular ext4 filesystem (no >> [...] >>> 2024-09-22 16:25:08 1ssU4q-00000001DEL-0AVf exim.c:884: >>> chown(/var/spool/exim4//msglog//1ssU4q-00000001DEL-0AVf, 111:117) failed >>> (Operation not permitted). Please contact the authors and refer to >>> https://bugs.exim.org/show_bug.cgi?id=2391 >> [...] >> mon is invoked by systemd and then executes /usr/lib/sendmail, therefore >> exim inherits the the lockdown settings set by >> /lib/systemd/system/mon.service. Some of these settings are incompatible >> with exim: >> CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_SETGID >> CAP_SETUID CAP_SYS_ADMIN CAP_SYS_CHROOT CAP_SYS_PTRACE CAP_SYS_RAWIO >> CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_ADMIN >> CAP_SYS_RESOURCE >> trial and error shows that adding CAP_FOWNER CAP_CHOWN is needed to get >> around the error-message listed above. >> Also exim tries to fork off a delivery process which often will need to >> look/write to /home which ProtectHome=true breaks. (The delivery process >> fails and the message is placed on the queue and delivered later, so >> this is not a terminal error.) > I did a systemd override for mon.service. I'm sure it will work. Would it > be beneficial to reassign this bug to package mon? Otherwise I can create a > new bug report for mon. Hello, reassigning to mon. @Russell: full quote for context. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
