Bugzilla – Bug 1119629
cyrus-imapd.service contains bogus User and Group specification
Last modified: 2021-09-05 08:45:15 UTC
Since recently, the cyrus-imapd package contains a native systemd unit file, /usr/lib/systemd/system/cyrus-imapd.service, replacing the auto-generated /run/systemd/generator.late/cyrus.service. As opposed to the latter, the native service specifies the daemon process's user as cyrus and the group as mail. That's broken, since it's the master daemon's own business to setuid() to the daemon user, not systemd's. The master has to open protected ports (imap, 143, among others) before setuid(), and fails if it runs as cyrus:
master: unable to create imap listener socket: Permission denied
This is on cyrus-imapd-2.4.19-6.1.x86_64@tumbleweed. Works fine if User= and Group= are omitted from the unit file.
*** Bug 1119630 has been marked as a duplicate of this bug. ***
See also bug 1115999 for alternative approaches (capabilities). I don't really see the point, as that would effectively widen the running daemon's privileges. Started as root, the daemon indeed does a setuid(cyrus), proceeds to run as such, and all is well, including FS permission bits of the PID file. Working with capabilities would only be beneficial during a couple of milliseconds between systemd's setuid() and the master daemon's setuid().
This is an autogenerated message for OBS integration:
This bug (1119629) was mentioned in
https://build.opensuse.org/request/show/666435 Factory / cyrus-imapd