Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Correct setup doc #639

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Correct setup doc #639

wants to merge 1 commit into from

Conversation

clsty
Copy link

@clsty clsty commented Oct 19, 2023

Add two lines of commands in Installation guide.

As for my test, it won't work without either of these lines.

@foxcpp
Copy link
Owner

foxcpp commented Jan 21, 2024

Wondering why systemd doesn't do it already since we set StateDirectory and RuntimeDirectory.

Except in case of ConfigurationDirectory=, the innermost specified directories will be owned by the user and group specified in User= and Group=. If the specified directories already exist and their owning user or group do not match the configured ones, all files and directories below the specified directories as well as the directories themselves will have their file ownership recursively changed to match what is configured.

Same goes for capabilities:

AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE

@foxcpp
Copy link
Owner

foxcpp commented Jan 21, 2024

AmbientCapabilities was added in systemd v229.
StateDirectory was added in systemd v211.

What is your distribution/systemd version?

@clsty
Copy link
Author

clsty commented Jan 21, 2024

  • Rocky Linux 9.0 (Blue Onyx)
  • systemd 250 (250-6.e19_0)

@foxcpp
Copy link
Owner

foxcpp commented Jan 22, 2024

Is there anything in the system journal regarding maddy.service when you run systemctl daemon-reload or on service start?
I wonder why directives in maddy.service are not applied.

@clsty
Copy link
Author

clsty commented Jan 22, 2024

I tried disable maddy.service and remove those permissions and enable again, this time the permissions are applied automatically just as you described.

However, this is not a fresh installation anymore. I can't tell why the first time it didn't work. My journalctl does not keep logs persistently.

Let me paste the log of the fresh installation (months ago) in .zsh_history though.

Click to expand
wget https://github.com/foxcpp/maddy/releases/download/v0.7.0/maddy-0.7.0-x86_64-linux-musl.tar.zst
unzstd maddy-0.7.0-x86_64-linux-musl.tar.zst
tar -xvf maddy-
tar -xvf maddy-0.7.0-x86_64-linux-musl.tar
cd maddy-0.7.0-x86_64-linux-musl
mkdir /etc/maddy
cp maddy.conf /etc/maddy
cp maddy maddyctl /usr/bin
cp systemd/*.service /etc/systemd/system
mkdir /etc/maddy
cp maddy.conf /etc/maddy
cp maddy /usr/bin
cp systemd/*.service /etc/systemd/system
ls /sbin
useradd -mrU -s /sbin/nologin -d /var/lib/maddy -c "maddy mail server" maddy
dnf install certbot
dnf install python-certbot-nginx
vim /etc/nginx/conf.d/maddy.conf
vim /etc/maddy/maddy.conf
ip a
lsblk -f
for i in 25 465 587 993 143;do lsof -i $i;done
for i in 25 465 587 993 143;do lsof -i:$i;done
for i in 25 465 587 993 143 443;do lsof -i:$i;done
ls -l /
ls -l /etc/certkey
ls -l /etc/
setfacl
setfacl -R -m u:maddy:rx /etc/certkey/cert.{key,pem}
setfacl -R -m u:maddy:rx /etc/certkey/cert.{key,pemm}
systemctl enable --now maddy.service
systemctl status maddy.service
vim /etc/maddy/maddy.conf
systemctl start maddy
journalctl -xeu maddy.service
systemctl status maddy.service
systemctl daemon-reload
clear
useradd -mrU -s /sbin/nologin -d /var/lib/maddy -c "maddy mail server" maddy
userdel maddy
useradd -mrU -s /sbin/nologin -d /var/lib/maddy -c "maddy mail server" maddy
userdel maddy
rm -rf /var/lib/maddy
useradd -mrU -s /sbin/nologin -d /var/lib/maddy -c "maddy mail server" maddy
systemctl start maddy
maddy
su maddy
maddy run
systemctl status maddy
systemctl start maddy
vifm /etc/systemd/system maddy-0.7.0-x86_64-linux-musl/systemd
mv /usr/bin/maddy /usr/local/bin/maddy
systemctl start maddy
maddy
which maddy
/usr/local/bin/maddy run
su - maddy -c /usr/local/bin/maddy run
runuser -l maddy -c '/usr/local/bin/maddy run'
chsh -s /bin/bash maddy
runuser -l maddy -c '/usr/local/bin/maddy run'
ls /run/maddy
vifm /run/maddy
chown maddy:maddy /run/maddy
runuser -l maddy -c '/usr/local/bin/maddy run'
chown -R maddy:maddy /var/lib/maddy
runuser -l maddy -c '/usr/local/bin/maddy run'
chown -R maddy:maddy /run/maddy
runuser -l maddy -c '/usr/local/bin/maddy run'
lsof -i:25
netstat -tulpn | grep :25
setcap 'cap_net_bind_service=+ep' /usr/local/bin/maddy
runuser -l maddy -c '/usr/local/bin/maddy run'
systemctl start maddy
systemctl enable maddy
chown -R maddy:maddy /var/lib/maddy /run/maddy
setcap 'cap_net_bind_service=+ep' /usr/local/bin/maddy

NOTE: I use vifm (TUI filemanager) sometimes, so that not all paths of edited files nor the cps, mvs were logged.

Maybe it's because of SELinux? I'm not familiar with this thing, but could it be possible that once I gave the permission manually, the restriction disappeared so that systemd could add it for me after that?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants