2

I have some specific group/permissions set for my fail2ban.sock file to make Zabbix able to monitor Fail2ban as described here https://github.com/hermanekt/zabbix-fail2ban-discovery-

I added the following lines to systemd service configuration to make sure the permissions will be correct after service restart:

[Service]
ExecStartPost=/bin/sh -c "while ! [ -S /run/fail2ban/fail2ban.sock ]; do sleep 1; done"
ExecStartPost=/bin/chgrp fail2ban /run/fail2ban/fail2ban.sock
ExecStartPost=/bin/chmod g+w /run/fail2ban/fail2ban.sock

It works perfectly when I'm trying to restart the service manually using systemctl restart fail2ban. But for some reason, it does not work after the reboot. I tried adding some debug lines to ExecStartPost with dummy echo and they are there, so ExecStartPost actions are being executed. But looks like something else re-writes permission on boot. Any ideas on how to troubleshoot?

ihorc
  • 43
  • 6

2 Answers2

1

This looks possibly like a "timing" problem - maybe the first of your ExecStartPost timed out or multiple ExecStartPost entries don't evaluated serially and running in parallel (due to specified Type of unit or some other setting), or something similar...

You can try to rewrite it in single line or in some script and use single ExecStartPost parameter, or...

Why just don't set default acl for /run/fail2ban directory (e. g. in ExecStartPre), so the socket gets created with correct permissions initially? See https://unix.stackexchange.com/a/1315/452987

So try something like this:

ExecStartPre=-/bin/mkdir -p /run/fail2ban && /bin/setfacl -d -m g:fail2ban:rw /run/fail2ban

Another variant would be simply to set another path to fail2ban socket to some persistent directory (e. g. /opt/fail2ban instead of /run/fail2ban) either with -s parameter in systemd unit or with parameter socket within /etc/fail2ban/fail2ban.local. And set the permissions persistently.

sebres
  • 1,100
  • 1
  • 5
  • 6
  • 1
    Don't know what was the problem but I resolved it with the same commands moved to a separate script: `ExecStartPost=/usr/bin/bash -c "/lib/systemd/system/fail2ban-fix-socket-permissions.sh"` – ihorc Sep 27 '21 at 15:14
1

Since you're using a systemd service unit, it would worth creating a systemd socket unit as well. By creating the socket unit, systemd will manage the socket file. Ownership and permissions can be set with SocketMode, SocketUser, and SocketGroup. Then in your service unit, in section [Unit] add Requires=yourservice.socket.

Paul
  • 443
  • 2
  • 5
  • 14
  • Thank you Paul for the tip, unfortunately fail2ban remove the socket file if already existing. Cf: line 249 of https://github.com/fail2ban/fail2ban/blob/master/fail2ban/server/asyncserver.py – Biapy Sep 19 '22 at 11:46