On 2024-12-21 Jeremy Harris via Exim-users <exim-users@lists.exim.org> wrote: > On 21/12/2024 16:11, Andreas Metzler via Exim-users wrote: >> Last time I looked at a similar issue the respective service file did not >> allow CAP_FOWNER CAP_CHOWN. Afaict from looking at >> https://git.progress-linux.org/users/daniel.baumann/debian/packages/netdata/plain/debian/netdata.service >> netdata does not either.
> Is there some way the applications (and their developers) are supposed > to check for and report such runtime issues (given that errno doesn't > supply helpful information...) ? Hello, I think we just need to get accustomed to suspecting systemd hardening. (Cryptic permission error -> Probably* systemd service hardening, secondary candidates missing SUID bit, thirdly selinux or apparmor.) The key takeaway is that systemd service hardening will be of very limited use and very hard to get right if the respective daemon invokes complex third-party software which might need more/different permissions. There is huge potential for whack-a-molish trial and error. cu Andreas -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/