From ametzler at bebt.de  Sun Oct  6 12:27:13 2024
From: ametzler at bebt.de (Andreas Metzler)
Date: Sun, 6 Oct 2024 13:27:13 +0200
Subject: [Pkg-monitoring-maintainers] Bug#1082646: exim4 Couldn't chown
 message log Operation not permitted
In-Reply-To: <f1823a88-37b1-40eb-84e9-1be64101d87f@mclemente.net>
References: <f1823a88-37b1-40eb-84e9-1be64101d87f@mclemente.net>
 <f1823a88-37b1-40eb-84e9-1be64101d87f@mclemente.net>
Message-ID: <ZwJ0EahoAQ0rBm6U@argenau.bebt.de>

On 2024-09-24 "Marc F. Clemente via Pkg-exim4-maintainers" <pkg-exim4-maintainers at alioth-lists.debian.net> wrote:
> Package: exim4-daemon-light
> Version: 4.98-1
> Severity: minor

> I run exim (exim4-daemon-light) on several machines with nearly identical
> setup.  These are configured as "mail sent by smarthost; no local mail"
> (satellite).

> This one particular machine has been giving me these errors since 1 August.
> These errors occur when "mon" sends an email (using sendmail which is
> exim4-daemon-light).  This does not happen all the time, and I cannot figure
> out what is causing it to happen.  This is a regular ext4 filesystem (no
[...]
> 2024-09-22 16:25:08 1ssU4q-00000001DEL-0AVf exim.c:884:
> chown(/var/spool/exim4//msglog//1ssU4q-00000001DEL-0AVf, 111:117) failed
> (Operation not permitted). Please contact the authors and refer to
> https://bugs.exim.org/show_bug.cgi?id=2391
[...]

Hello,

mon is invoked by systemd and then executes /usr/lib/sendmail, therefore
exim inherits the the lockdown settings set by
/lib/systemd/system/mon.service. Some of these settings are incompatible
with exim:
CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_SETGID CAP_SETUID CAP_SYS_ADMIN CAP_SYS_CHROOT CAP_SYS_PTRACE CAP_SYS_RAWIO CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_ADMIN CAP_SYS_RESOURCE

trial and error shows that adding CAP_FOWNER CAP_CHOWN is needed to get
around the error-message listed above.

Also exim tries to fork off a delivery process which often will need to
look/write to /home which ProtectHome=true breaks. (The delivery process
fails and the message is placed on the queue and delivered later, so
this is not a terminal error.)

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'