At 2022-08-17T14:33:40-0600, Bob Proulx wrote: > Bob Proulx wrote: > > It appears that systemd is setting NoNewPrivileges=yes for apache > > and if I read the documentation correctly this will definitely break > > things in the way we are seeing. I have removed that setting and am > > trying things again. > > That seems to have been the problem. I upgraded all of the packages > that I had downgraded during testing and restarted all. I just tested > this with a different ticket and it sent the mail okay. > > The root cause of the problem appears to have been over exuberant > hardening from someone setting NoNewPrivileges=yes in systemd for the > apache processes and as that prevents all suid in child processes it > basically breaks anything and everything that calls out to > subprocesses such as sending email with /usr/sbin/sendmail and other > things.
Thanks, Bob! I can confirm that the problem is resolved. If you didn't already, you might consider adding a comment to the relevant systemd configuration file to warn off over-exuberant hardeners in the future. Unfortunately I think this means--maybe you can confirm--that no email got queued in the first place, so email records of any Savannah ticket updates in the ~5 day period 12-16 August have been lost. For groff, I am able to use the "Advanced" item browser to activate an "additional constraint" and see "any" tickets "modified" since 12 August. There are only 9 so it's not so bad. I'm sharing this for the benefit of other Savannah users, not so much the hackers, who I reckon already know about it. :) Regards, Branden
signature.asc
Description: PGP signature
