Comment # 3 on bug 1115999 from
(In reply to Franck Bui from comment #2)
> (In reply to Matthias Fehring from comment #1)
> > The current revision of the package from OBS project server:mail is not
> > usable with the native systemd service. There are two problems with the
> > service file:
> > 
> > 1. User cyrus is not allowed to place the master PID file into /run. I
> > created a fix for this by creating /run/cyrus-imapd through systemd-tmpfiles
> > and place the PID file into that directory. The OBS SR can be found here:
> > https://build.opensuse.org/request/show/653205
> 
> I think you could use "RuntimeDirectory=cyrus-imapd" instead.

Oh, nice, I did not know that directive.

> > 
> > 2. User cyrus is not allowed to bind to privileged ports below port 1024. I
> > tried to solve this on my server running Leap 42.3 by adding
> > Capabilities=CAP_NET_BIND_SERVICE to the service file, but systemd ignores
> > it with the following error: "Failed to parse capabilities, ignoring:
> > CAP_NET_BIND_SERVICE".
> 
> You should use "Capabilities=cap_net_bind_service=+ep" or something like
> that instead.

I already tried that. It leads to the same parsing error.

> But that said according to the man page Capabilities= is probably not the
> option to use.
> 
> > It works if I set the capability via setcap command:
> > setcap 'CAP_NET_BIND_SERVICE=+ep' /usr/lib/cyrus/bin/master . systemd
> > version 228 on Leap 42.3 offers the Capabilities= service file entry, while
> > newer versions have AmbientCapabilities= . Not sure how to solve this.
> 
> I'm not sure how well caps work with unprivileged services for v228 (Leap
> 42.3) and this bug has been opened against Factory so I'm not sure why you
> would want to fix  Leap 42.3...

As written, setting the caps manually works as expected.

I want simply fix it for Leap 42.3 because the changes in the devel project
made Cyrus unusable for users of older Leap releases. Either build there should
be disabled for older releases or the changes should also work for older
releases. The issue was also recognized in other OBS projects relying on that
package from server:mail like server:Kolab:Extras. 

I added all this stuff to this bug because it was the bug mentioned in the
package changelog that leads to the issues with openSUSE Leap 42.3. Also the
issue with missing priviliges for writing to /run will be the same on
Tumbleweed.


You are receiving this mail because: