Bug#1082646: exim4 Couldn't chown message log Operation not permitted
Andreas Metzler
ametzler at bebt.de
Sun Dec 22 12:27:22 GMT 2024
Control: reassign -1 mon 1.4.1-1
Control: retitle -1 mon: systemd service hardening too tight for invoking exim
On 2024-10-07 "Marc F. Clemente" <marc at mclemente.net> wrote:
> On 10/6/24 06:27, Andreas Metzler wrote:
>> On 2024-09-24 "Marc F. Clemente via Pkg-exim4-maintainers" <pkg-exim4-maintainers at alioth-lists.debian.net> wrote:
>>> Package: exim4-daemon-light
>>> Version: 4.98-1
>>> Severity: minor
>>> I run exim (exim4-daemon-light) on several machines with nearly identical
>>> setup. These are configured as "mail sent by smarthost; no local mail"
>>> (satellite).
>>> This one particular machine has been giving me these errors since 1 August.
>>> These errors occur when "mon" sends an email (using sendmail which is
>>> exim4-daemon-light). This does not happen all the time, and I cannot figure
>>> out what is causing it to happen. This is a regular ext4 filesystem (no
>> [...]
>>> 2024-09-22 16:25:08 1ssU4q-00000001DEL-0AVf exim.c:884:
>>> chown(/var/spool/exim4//msglog//1ssU4q-00000001DEL-0AVf, 111:117) failed
>>> (Operation not permitted). Please contact the authors and refer to
>>> https://bugs.exim.org/show_bug.cgi?id=2391
>> [...]
>> mon is invoked by systemd and then executes /usr/lib/sendmail, therefore
>> exim inherits the the lockdown settings set by
>> /lib/systemd/system/mon.service. Some of these settings are incompatible
>> with exim:
>> CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_SETGID CAP_SETUID CAP_SYS_ADMIN CAP_SYS_CHROOT CAP_SYS_PTRACE CAP_SYS_RAWIO CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_ADMIN CAP_SYS_RESOURCE
>> trial and error shows that adding CAP_FOWNER CAP_CHOWN is needed to get
>> around the error-message listed above.
>> Also exim tries to fork off a delivery process which often will need to
>> look/write to /home which ProtectHome=true breaks. (The delivery process
>> fails and the message is placed on the queue and delivered later, so
>> this is not a terminal error.)
> I did a systemd override for mon.service. I'm sure it will work. Would it
> be beneficial to reassign this bug to package mon? Otherwise I can create a
> new bug report for mon.
Hello,
reassigning to mon. @Russell: full quote for context.
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
More information about the Pkg-exim4-maintainers
mailing list