mirrors/maddy
1
0
Fork 0
mirror of https://github.com/foxcpp/maddy.git synced 2025-04-04 05:37:34 +03:00
Code Issues Projects Releases Packages Wiki Activity

dist: Remove DynamicUser from systemd units

Browse source 
It is only a good thing to use for simple stateless daemons.  It is
possible to use StateDirectory to store state, but it is extremely
limited. Notably, only service processes and root can correctly access
the state directory. This makes up for a bad practice to run maddyctl as
root what in turn screws up permissions on files in messages directory
when imap-* subcommands are used.

Migration note: Users of systemd unit with DynamicUser enabled should
move /var/lib/private/maddy to /var/lib/maddy before starting maddy
after update.
This commit is contained in:
fox.cpp 2020-01-03 02:08:50 +03:00
parent 813bbb992e
commit 1b2b101f8e
No known key found for this signature in database
GPG key ID: E76D97CCEDE90B6C
4 changed files with 4 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

4
dist/README.md vendored
View file

@ -18,10 +18,6 @@ your config.
`maddy@.service` launches maddy using custom config path. E.g.
`maddy@foo.service` will use /etc/maddy/foo.conf.
Both unit files use DynamicUser to allocate user account for maddy, hence you don't need
to create it explicitly. Also, they use \*Directory options, so required directories
will be created as well.
Additionally, unit files apply strict sandboxing, limiting maddy permissions on
the system to a bare minimum. Subset of these options makes it impossible for
privileged authentication helper binaries to gain required permissions, so you

4
dist/systemd/maddy.service vendored
View file

@ -9,7 +9,6 @@ After=network.target
Type=notify
NotifyAccess=main
# For systemd before 235. Assumes pre-existing user & group.
User=maddy
Group=maddy
@ -17,9 +16,6 @@ Group=maddy
# in config will be relative to it unless handled specially.
WorkingDirectory=/var/lib/maddy
# For systemd 235+. systemd will take care of user accounts
# directories and permissions.
DynamicUser=true
ConfigurationDirectory=maddy
RuntimeDirectory=maddy
StateDirectory=maddy

8
dist/systemd/maddy@.service vendored
View file

@ -9,17 +9,15 @@ After=network.target
Type=notify
NotifyAccess=main
# For systemd before 235. Assumes pre-existing user & group.
User=maddy
Group=maddy
# For systemd 235+. systemd will take care of user accounts
# and permissions.
DynamicUser=true
ConfigurationDirectory=maddy
RuntimeDirectory=maddy
StateDirectory=maddy
ReadOnlyPaths=/usr/lib/maddy
LogsDirectory=maddy
ReadOnlyPaths=/usr/lib/maddy
ReadWritePaths=/var/lib/maddy
# Strict sandboxing. You have no reason to trust code written by strangers from GitHub.
PrivateTmp=true