http://bugzilla.opensuse.org/show_bug.cgi?id=1115999
http://bugzilla.opensuse.org/show_bug.cgi?id=1115999#c5
--- Comment #5 from Matthias Fehring
How was the cap granted to the sysv init script BTW ? or is this an improvement you introduced along with the systemd unit files ?
I did not introduce anything. :) Changes were introduced by Peter Varkoly when migrating from SysV init to native systemd service. My intention was just to make the package from server:mail to work again on Leap 42.3.
Maybe you could try to make cyrus-imapd socket activable (if it's not already done) and in this case systemd would open and bind the socket for you ?
That would make CAP_NET_BIND_SERVICE undeeded.
Otherwise ship a different unit file depending on the distro you're running on:
- on Factory ship the unit file with "User=xxx" and "AmbientCapabilities=cap_net_bind_service"
- on Leap 42.3, run the service as root. It was probably already the case with the sysv init script.
In both cases you can also rely on different security hardening (if it's not already the case).
Yes, the SysV init script started cyrus-master as root so it can bind to the ports. The systemd service now starts cyrus-master as user cyrus. I now added capabilities acquisition to the service file and created a new submit request to server:mail at https://build.opensuse.org/request/show/657145 . I tested it on Leap 15.0 where it works as expected, but on Tumbleweed I currently have the issue that it can not be started because of the following error: Failed to start cyrus-imapd.service: Unit var-run.mount is masked. -- You are receiving this mail because: You are on the CC list for the bug.