[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Savannah-hackers-public] Savannah bug->email gateway problems
|
From: |
G. Branden Robinson |
|
Subject: |
Re: [Savannah-hackers-public] Savannah bug->email gateway problems |
|
Date: |
Wed, 17 Aug 2022 16:19:50 -0500 |
At 2022-08-17T14:33:40-0600, Bob Proulx wrote:
> Bob Proulx wrote:
> > It appears that systemd is setting NoNewPrivileges=yes for apache
> > and if I read the documentation correctly this will definitely break
> > things in the way we are seeing. I have removed that setting and am
> > trying things again.
>
> That seems to have been the problem. I upgraded all of the packages
> that I had downgraded during testing and restarted all. I just tested
> this with a different ticket and it sent the mail okay.
>
> The root cause of the problem appears to have been over exuberant
> hardening from someone setting NoNewPrivileges=yes in systemd for the
> apache processes and as that prevents all suid in child processes it
> basically breaks anything and everything that calls out to
> subprocesses such as sending email with /usr/sbin/sendmail and other
> things.
Thanks, Bob! I can confirm that the problem is resolved. If you didn't
already, you might consider adding a comment to the relevant systemd
configuration file to warn off over-exuberant hardeners in the future.
Unfortunately I think this means--maybe you can confirm--that no email
got queued in the first place, so email records of any Savannah ticket
updates in the ~5 day period 12-16 August have been lost.
For groff, I am able to use the "Advanced" item browser to activate an
"additional constraint" and see "any" tickets "modified" since 12
August. There are only 9 so it's not so bad. I'm sharing this for the
benefit of other Savannah users, not so much the hackers, who I reckon
already know about it. :)
Regards,
Branden
signature.asc
Description: PGP signature