niedz., 22 gru 2024, 13:54 użytkownik Andreas Metzler via Exim-users < exim-users@lists.exim.org> napisał:
> On 2024-12-21 Jeremy Harris via Exim-users <exim-users@lists.exim.org> > wrote: > > On 21/12/2024 16:11, Andreas Metzler via Exim-users wrote: > >> Last time I looked at a similar issue the respective service file did > not > >> allow CAP_FOWNER CAP_CHOWN. Afaict from looking at > >> > https://git.progress-linux.org/users/daniel.baumann/debian/packages/netdata/plain/debian/netdata.service > >> netdata does not either. > > > Is there some way the applications (and their developers) are supposed > > to check for and report such runtime issues (given that errno doesn't > > supply helpful information...) ? > > Hello, > > I think we just need to get accustomed to suspecting systemd hardening. > (Cryptic permission error -> Probably* systemd service hardening, > secondary candidates missing SUID bit, thirdly selinux or apparmor.) > > The key takeaway is that systemd service hardening will be of very > limited use and very hard to get right if the respective daemon invokes > complex third-party software which might need more/different permissions. > There is huge potential for whack-a-molish trial and error. > Would it make sense to write a simple /usr/lib/sendmail shim that would simply forward its input to localhost:25 (or to a UNIX socket, if Exim could be taught to listen on one, as that would allow it to discover UID of the invoking process)? Marcin -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
