Comment # 2 on bug 1115999 from
(In reply to Matthias Fehring from comment #1)
> The current revision of the package from OBS project server:mail is not
> usable with the native systemd service. There are two problems with the
> service file:
> 
> 1. User cyrus is not allowed to place the master PID file into /run. I
> created a fix for this by creating /run/cyrus-imapd through systemd-tmpfiles
> and place the PID file into that directory. The OBS SR can be found here:
> https://build.opensuse.org/request/show/653205

I think you could use "RuntimeDirectory=cyrus-imapd" instead.

> 
> 2. User cyrus is not allowed to bind to privileged ports below port 1024. I
> tried to solve this on my server running Leap 42.3 by adding
> Capabilities=CAP_NET_BIND_SERVICE to the service file, but systemd ignores
> it with the following error: "Failed to parse capabilities, ignoring:
> CAP_NET_BIND_SERVICE".

You should use "Capabilities=cap_net_bind_service=+ep" or something like that
instead.

But that said according to the man page Capabilities= is probably not the
option to use.

> It works if I set the capability via setcap command:
> setcap 'CAP_NET_BIND_SERVICE=+ep' /usr/lib/cyrus/bin/master . systemd
> version 228 on Leap 42.3 offers the Capabilities= service file entry, while
> newer versions have AmbientCapabilities= . Not sure how to solve this.

I'm not sure how well caps work with unprivileged services for v228 (Leap 42.3)
and this bug has been opened against Factory so I'm not sure why you would want
to fix  Leap 42.3...

With systemd shipped by Factory, I believe that AmbientCapabilities= is
supported and is the option to use to deal with your case.


You are receiving this mail because: