mirrors/maddy
1
0
Fork 0
mirror of https://github.com/foxcpp/maddy.git synced 2025-04-04 21:47:40 +03:00
Code Issues Projects Releases Packages Wiki Activity

dist: Remove DynamicUser from systemd units

Browse source 
It is only a good thing to use for simple stateless daemons.  It is
possible to use StateDirectory to store state, but it is extremely
limited. Notably, only service processes and root can correctly access
the state directory. This makes up for a bad practice to run maddyctl as
root what in turn screws up permissions on files in messages directory
when imap-* subcommands are used.

Migration note: Users of systemd unit with DynamicUser enabled should
move /var/lib/private/maddy to /var/lib/maddy before starting maddy
after update.
This commit is contained in:
fox.cpp 2020-01-03 02:08:50 +03:00
parent 813bbb992e
commit 1b2b101f8e
No known key found for this signature in database
GPG key ID: E76D97CCEDE90B6C
4 changed files with 4 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

4
dist/README.md vendored
View file

@ -18,10 +18,6 @@ your config.
`maddy@.service` launches maddy using custom config path. E.g. `maddy@.service` launches maddy using custom config path. E.g.
`maddy@foo.service` will use /etc/maddy/foo.conf. `maddy@foo.service` will use /etc/maddy/foo.conf.
Both unit files use DynamicUser to allocate user account for maddy, hence you don't need
to create it explicitly. Also, they use \*Directory options, so required directories
will be created as well.
Additionally, unit files apply strict sandboxing, limiting maddy permissions on Additionally, unit files apply strict sandboxing, limiting maddy permissions on
the system to a bare minimum. Subset of these options makes it impossible for the system to a bare minimum. Subset of these options makes it impossible for
privileged authentication helper binaries to gain required permissions, so you privileged authentication helper binaries to gain required permissions, so you

4
dist/systemd/maddy.service vendored
View file

@ -9,7 +9,6 @@ After=network.target
Type=notify Type=notify
NotifyAccess=main NotifyAccess=main
# For systemd before 235. Assumes pre-existing user & group.
User=maddy User=maddy
Group=maddy Group=maddy
@ -17,9 +16,6 @@ Group=maddy
# in config will be relative to it unless handled specially. # in config will be relative to it unless handled specially.
WorkingDirectory=/var/lib/maddy WorkingDirectory=/var/lib/maddy
# For systemd 235+. systemd will take care of user accounts
# directories and permissions.
DynamicUser=true
ConfigurationDirectory=maddy ConfigurationDirectory=maddy
RuntimeDirectory=maddy RuntimeDirectory=maddy
StateDirectory=maddy StateDirectory=maddy

8
dist/systemd/maddy@.service vendored
View file

@ -9,17 +9,15 @@ After=network.target
Type=notify Type=notify
NotifyAccess=main NotifyAccess=main
# For systemd before 235. Assumes pre-existing user & group.
User=maddy User=maddy
Group=maddy Group=maddy
# For systemd 235+. systemd will take care of user accounts
# and permissions.
DynamicUser=true
ConfigurationDirectory=maddy ConfigurationDirectory=maddy
RuntimeDirectory=maddy
StateDirectory=maddy StateDirectory=maddy
ReadOnlyPaths=/usr/lib/maddy
LogsDirectory=maddy LogsDirectory=maddy
ReadOnlyPaths=/usr/lib/maddy
ReadWritePaths=/var/lib/maddy
# Strict sandboxing. You have no reason to trust code written by strangers from GitHub. # Strict sandboxing. You have no reason to trust code written by strangers from GitHub.
PrivateTmp=true PrivateTmp=true

8
docs/tutorials/manual-installation.md
View file

@ -67,10 +67,4 @@ SMTP endpoint is on port 465 with TLS enforced ("implicit TLS").
### systemd unit ### systemd unit
You can use the systemd unit file from the [dist/](dist) directory in You can use the systemd unit file from the [dist/](dist) directory in
this repo. It will automatically set-up user account and directories. this repo.
Additionally, it will apply strict sandbox to maddy to ensure additional
security.
You need a relatively new systemd version (235+) both of these things to work
properly. Otherwise, you still have to manually create a user account and the
state + runtime directories with read-write permissions for the maddy user.