Bug 1119629 - cyrus-imapd.service contains bogus User and Group specification
cyrus-imapd.service contains bogus User and Group specification
: 1119630 (view as bug list)
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Other
Other All
: P5 - None : Major (vote)
: ---
Assigned To: Peter Varkoly
E-mail List
Depends on:
  Show dependency treegraph
Reported: 2018-12-15 10:34 UTC by Jan Lindemann
Modified: 2021-09-05 08:45 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Jan Lindemann 2018-12-15 10:34:27 UTC
Since recently, the cyrus-imapd package contains a native systemd unit file, /usr/lib/systemd/system/cyrus-imapd.service, replacing the auto-generated /run/systemd/generator.late/cyrus.service. As opposed to the latter, the native service specifies the daemon process's user as cyrus and the group as mail. That's broken, since it's the master daemon's own business to setuid() to the daemon user, not systemd's. The master has to open protected ports (imap, 143, among others) before setuid(), and fails if it runs as cyrus:

  master[1372]: unable to create imap listener socket: Permission denied

This is on cyrus-imapd-2.4.19-6.1.x86_64@tumbleweed. Works fine if User= and Group= are omitted from the unit file.
Comment 1 Jan Lindemann 2018-12-15 11:20:15 UTC
*** Bug 1119630 has been marked as a duplicate of this bug. ***
Comment 2 Jan Lindemann 2018-12-15 11:43:05 UTC
See also bug 1115999 for alternative approaches (capabilities). I don't really see the point, as that would effectively widen the running daemon's privileges. Started as root, the daemon indeed does a setuid(cyrus), proceeds to run as such, and all is well, including FS permission bits of the PID file. Working with capabilities would only be beneficial during a couple of milliseconds between systemd's setuid() and the master daemon's setuid().
Comment 3 Swamp Workflow Management 2019-01-16 10:50:13 UTC
This is an autogenerated message for OBS integration:
This bug (1119629) was mentioned in
https://build.opensuse.org/request/show/666435 Factory / cyrus-imapd
Comment 4 Peter Varkoly 2021-09-05 08:45:15 UTC