Hi all,
Bit of a pickle here with systemd in CentOS 8. Certain protective
directives, such as DynamicUser= or PrivateDevices=yes implicitly sets
NoNewPrivileges=true (systemd/systemd #12476). In turn that's blocking
setgid with /usr/sbin/postdrop. postdrop hangs indefinitely unable to
send its input to Postfix. As an example on CentOS 8 this breaks,
systemd-run -p PrivateDevices=true -p CapabilityBoundingSet=CAP_SETGID -p User=nobody -p
Group=nobody /bin/sh -c 'echo "To: root" | /usr/sbin/sendmail -ti'
Consequently, it generates this:
postfix/postdrop[757666]: warning: mail_queue_enter: create file
maildrop/58963.757666: Permission denied
sh[757663]: postdrop: warning: mail_queue_enter: create file
maildrop/58963.757666: Permission denied
postfix/postdrop[754122]: warning: mail_queue_enter: create file
maildrop/329008.754122: Permission denied
What's an appropriate workaround for this? Add postdrop to the list of
SupplementaryGroups= for the service, open world write access for
/var/spool/postfix/maildrop, or is there a better route? It's a PHP-FPM
pool, which I'd like to tamp down as much as possible.
- Matt
