http://bugzilla.suse.com/show_bug.cgi?id=1115999 Franck Bui changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bnc-team-screening@forge.pr |varkoly@suse.com |ovo.novell.com | -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1115999 http://bugzilla.suse.com/show_bug.cgi?id=1115999#c1 Matthias Fehring changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |buschmann23@opensuse.org --- Comment #1 from Matthias Fehring --- The current revision of the package from OBS project server:mail is not usable with the native systemd service. There are two problems with the service file: 1. User cyrus is not allowed to place the master PID file into /run. I created a fix for this by creating /run/cyrus-imapd through systemd-tmpfiles and place the PID file into that directory. The OBS SR can be found here: https://build.opensuse.org/request/show/653205 2. User cyrus is not allowed to bind to privileged ports below port 1024. I tried to solve this on my server running Leap 42.3 by adding Capabilities=CAP_NET_BIND_SERVICE to the service file, but systemd ignores it with the following error: "Failed to parse capabilities, ignoring: CAP_NET_BIND_SERVICE". It works if I set the capability via setcap command: setcap 'CAP_NET_BIND_SERVICE=+ep' /usr/lib/cyrus/bin/master . systemd version 228 on Leap 42.3 offers the Capabilities= service file entry, while newer versions have AmbientCapabilities= . Not sure how to solve this. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1115999 http://bugzilla.suse.com/show_bug.cgi?id=1115999#c3 --- Comment #3 from Matthias Fehring --- (In reply to Franck Bui from comment #2)

(In reply to Matthias Fehring from comment #1)

...

The current revision of the package from OBS project server:mail is not usable with the native systemd service. There are two problems with the service file:

1. User cyrus is not allowed to place the master PID file into /run. I created a fix for this by creating /run/cyrus-imapd through systemd-tmpfiles and place the PID file into that directory. The OBS SR can be found here: https://build.opensuse.org/request/show/653205

I think you could use "RuntimeDirectory=cyrus-imapd" instead.

Oh, nice, I did not know that directive.

...

2. User cyrus is not allowed to bind to privileged ports below port 1024. I tried to solve this on my server running Leap 42.3 by adding Capabilities=CAP_NET_BIND_SERVICE to the service file, but systemd ignores it with the following error: "Failed to parse capabilities, ignoring: CAP_NET_BIND_SERVICE".

You should use "Capabilities=cap_net_bind_service=+ep" or something like that instead.

I already tried that. It leads to the same parsing error.

But that said according to the man page Capabilities= is probably not the option to use.

...

It works if I set the capability via setcap command: setcap 'CAP_NET_BIND_SERVICE=+ep' /usr/lib/cyrus/bin/master . systemd version 228 on Leap 42.3 offers the Capabilities= service file entry, while newer versions have AmbientCapabilities= . Not sure how to solve this.

I'm not sure how well caps work with unprivileged services for v228 (Leap 42.3) and this bug has been opened against Factory so I'm not sure why you would want to fix Leap 42.3...

As written, setting the caps manually works as expected. I want simply fix it for Leap 42.3 because the changes in the devel project made Cyrus unusable for users of older Leap releases. Either build there should be disabled for older releases or the changes should also work for older releases. The issue was also recognized in other OBS projects relying on that package from server:mail like server:Kolab:Extras. I added all this stuff to this bug because it was the bug mentioned in the package changelog that leads to the issues with openSUSE Leap 42.3. Also the issue with missing priviliges for writing to /run will be the same on Tumbleweed. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1115999 http://bugzilla.suse.com/show_bug.cgi?id=1115999#c8 --- Comment #8 from Swamp Workflow Management --- This is an autogenerated message for OBS integration: This bug (1115999) was mentioned in https://build.opensuse.org/request/show/666435 Factory / cyrus-imapd -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1115999 http://bugzilla.suse.com/show_bug.cgi?id=1115999#c10 Josef Möllers changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |josef.moellers@suse.com Resolution|--- |FIXED --- Comment #10 from Josef Möllers --- Closing as per comment #9. -- You are receiving this mail because: You are on the CC list for the bug.