0

I'm using amavisd on fedora33 and trying to change the file permissions on the socket it creates so nagios and nrpe can read the file in the amavis group.

The file permissions currently are as such:

# ls -l /run/amavisd/amavisd.sock
srwxr-x--- 1 amavis amavis 0 Nov 23 20:29 /run/amavisd/amavisd.sock

I'm executing "systemctl edit amavisd.service" to create an override.conf file with the following:

[Service]
LimitNOFILE=5000
UMask=0007
ExecStartPost=/usr/bin/su - amavis -c \'/usr/bin/chmod 770 /run/amavisd/amavisd.sock\'

The shell for the amavis user is /bin/bash. After saving and running "systemctl daemon-reload" then restarting, it fails with no indication of why. I've also tried having it execute a script, but that fails the same way.

[Service]
LimitNOFILE=5000
UMask=0007
ExecStartPost=/bin/sh -c /etc/amavisd/chmod-sock.sh

Why is the UMask parameter ignored altogether? Is /etc/bashrc processed when the amavisd.service is started?

Here is the contents of the script.

# cat /etc/amavisd/chmod-sock.sh
#!/bin/bash
    
sleep 1
/usr/bin/chmod 770 /run/amavisd/amavisd.sock

"systemctl status amavisd.service" and "journalctl -xe" resulted in no helpful information.

Update: I found some info in /var/log/messages that I must have missed before. It looks like amavis is being continually restarted because "su" failed:

su: (to amavis) root on none
su[73476]: su: cannot open session: Permission denied
systemd[1]: amavisd.service: Control process exited, code=exited, status=1/FAILURE

This link talks about making modifications to /etc/pam.d/su to disable some kind of auth protection.

https://unix.stackexchange.com/questions/171097/unable-to-su-into-an-account-could-not-open-session

This systemd link says it's necessary to escape single quotes, but that failed here. Removing the backslashes allowed su to run properly and amavisd to eventually start. https://www.freedesktop.org/software/systemd/man/systemd.service.html

su[74032]: 770: -c: line 0: unexpected EOF while looking for matching `''
su[74032]: 770: -c: line 1: syntax error: unexpected end of file

So my questions now are:

  • Why is "UMask 0007" being ignored in my override.conf?
  • What is the proper way to change permissions on the amavisd socket after it's created so others in the same group can read from it?
  • What are the implications of modifying the PAM security for su?
  • How do you run a shell script from a systemd override.conf file?
Alex Regan
  • 143
  • 6
  • I've added quite a bit more detail and clarity after locating some info in /var/log/messages that I previously missed and journalctl did not reveal. – Alex Regan Nov 24 '20 at 13:47
  • Hm. Well you shouldn't need to switch users to run chmod anyway. Not to mention it's already readable by the amavis group, so you don't need to do any of this anyway. – Michael Hampton Nov 24 '20 at 14:59

0 Answers0