Bug#998242: cron-failure@.service delivery fails due to DynamicUser with exim

2021-12-22 Thread Vincent Bernat 
Control: forwarded -1 https://github.com/systemd-cron/systemd-cron/issues/75

 ❦ 21 December 2021 21:14 +01, Vincent Bernat:

> I have the same issue with Postfix.

This is a problem known upstream. DynamicUser= implies NoNewPrivileges=.

https://github.com/systemd-cron/systemd-cron/issues/75
-- 
To be or not to be.
-- Shakespeare
To do is to be.
-- Nietzsche
To be is to do.
-- Sartre
Do be do be do.
-- Sinatra

Processed: Re: Bug#998242: cron-failure@.service delivery fails due to DynamicUser with exim

2021-12-22 Thread Debian Bug Tracking System 
Processing control commands:

> forwarded -1 https://github.com/systemd-cron/systemd-cron/issues/75
Bug #998242 [systemd-cron] cron-failure@.service delivery fails due to 
DynamicUser with exim
Set Bug forwarded-to-address to 
'https://github.com/systemd-cron/systemd-cron/issues/75'.

-- 
998242: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998242
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#998242: cron-failure@.service delivery fails due to DynamicUser with exim

2021-12-21 Thread Vincent Bernat 
 ❦  1 November 2021 14:27 +01, Yuri D'Elia:

> cron-failure@ is using DynamicUser=yes, however this causes a silent
> delivery failure when using exim4:
>
> systemd[1]: Starting cron-failure@cron-monthly.service...
> mail_on_failure[328561]: 2021-11-01 14:11:23 1mhX5v-001NTN-LU Failed
> to create spool file /var/spool/exim4//input//1mhX5v-001NTN-LU-D:
> Permission denied
> mail_on_failure[328561]: 2021-11-01 14:11:23 1mhX5v-001NTN-LU Failed
> to create spool file /var/spool/exim4//input//1mhX5v-001NTN-LU-D:
> Permission denied
> mail_on_failure[328561]: 2021-11-01 14:11:23 1mhX5v-001NTN-LU Failed
> to create spool file /var/spool/exim4//input//1mhX5v-001NTN-LU-D:
> Permission denied
> systemd[1]: cron-failure@cron-monthly.service: Deactivated successfully.
> systemd[1]: Finished cron-failure@cron-monthly.service.

I have the same issue with Postfix.

Dec 21 21:02:53 neo mail_on_failure[938987]: postdrop: warning: 
mail_queue_enter: create file maildrop/155101.938987: Permission denied
Dec 21 21:02:53 neo postfix/postdrop[938987]: warning: mail_queue_enter: create 
file maildrop/155101.938987: Permission denied
Dec 21 21:03:03 neo mail_on_failure[938987]: postdrop: warning: 
mail_queue_enter: create file maildrop/155516.938987: Permission denied
Dec 21 21:03:03 neo postfix/postdrop[938987]: warning: mail_queue_enter: create 
file maildrop/155516.938987: Permission denied

However, I don't know how it should work. Permissions for maildrop is:

 21:03 ❱ ls -ltrd /var/spool/postfix/maildrop
drwx-wx--T 2 postfix postdrop 4096 Dec 21 20:05 /var/spool/postfix/maildrop

With `T`, I am unable to create a file either:

 21:05 ❱ touch /var/spool/postfix/maildrop/titi
touch: cannot touch '/var/spool/postfix/maildrop/titi': Permission denied

I suppose only postdrop can write here:

 21:08 ❱ ls -ltrhA =postdrop
-r-xr-sr-x 1 root postdrop 19K Nov 13 22:05 /usr/sbin/postdrop

However, for some reason, the process is not part of the postdrop group:

 21:09 ❱ ls -ltrhAd /proc/938987
dr-xr-xr-x 9 cron-failure systemd-journal 0 Dec 13 07:19 /proc/938987

 21:11 ❱ systemctl cat cron-failure@cron-root-root-0.service
# /lib/systemd/system/cron-failure@.service
[Unit]
Description=systemd-cron OnFailure for %i
Documentation=man:systemd.cron(7)
RefuseManualStart=true
RefuseManualStop=true
ConditionFileIsExecutable=/usr/sbin/sendmail

[Service]
Type=oneshot
ExecStart=/lib/systemd-cron/mail_on_failure %i
DynamicUser=yes
Group=systemd-journal

 21:13 ❱ cat /proc/938987/status | grep Cap
CapInh: 
CapPrm: 
CapEff: 
CapBnd: 01ff
CapAmb: 

 21:13 ❱ capsh --decode=01ff | grep setgid
0x01ff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore

So, process should be able to change group.

-- 
This night methinks is but the daylight sick.
-- William Shakespeare, "The Merchant of Venice"

Bug#998242: cron-failure@.service delivery fails due to DynamicUser with exim

2021-11-01 Thread Yuri D'Elia 
Package: systemd-cron
Version: 1.5.17-3
Severity: important

cron-failure@ is using DynamicUser=yes, however this causes a silent
delivery failure when using exim4:

systemd[1]: Starting cron-failure@cron-monthly.service...
mail_on_failure[328561]: 2021-11-01 14:11:23 1mhX5v-001NTN-LU Failed to create 
spool file /var/spool/exim4//input//1mhX5v-001NTN-LU-D: Permission denied
mail_on_failure[328561]: 2021-11-01 14:11:23 1mhX5v-001NTN-LU Failed to create 
spool file /var/spool/exim4//input//1mhX5v-001NTN-LU-D: Permission denied
mail_on_failure[328561]: 2021-11-01 14:11:23 1mhX5v-001NTN-LU Failed to create 
spool file /var/spool/exim4//input//1mhX5v-001NTN-LU-D: Permission denied
systemd[1]: cron-failure@cron-monthly.service: Deactivated successfully.
systemd[1]: Finished cron-failure@cron-monthly.service.

Combined with #992649, this makes systemd-cron silently broken on a
debian configuration with the default mta.

-- Package-specific info:
-- output of systemd-delta

-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable
  APT policy: (900, 'unstable'), (800, 'experimental'), (500, 'unstable-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.14.0-3-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages systemd-cron depends on:
ii  libc6 2.32-4
ii  python3   3.9.2-3
ii  systemd-sysv  249.5-1

Versions of packages systemd-cron recommends:
ii  exim4-daemon-light [mail-transport-agent]  4.95-2

systemd-cron suggests no packages.