search for: capabilityboundingset

...new systemd service file has NoNewPrivileges set to true. You need > to override that to false and then it should work again. It seems that the NoNewPrivileges option messes with several things. PAM authentication stopped working as well besides the fact that CAP_AUDIT_WRITE is also missing in CapabilityBoundingSet. I've opened a pull request https://github.com/dovecot/core/pull/71 Although I removed NoNewPrivileges altogether, since I didn't know what to write in the comment. The only thing I could think of was something along the lines: # If you want most things to stop working, set this to true...

We are thinking that we remove both this and CapabilityBoundingSet in next release, so feel free to remove them from the unit file. ---Aki TuomiDovecot oy -------- Original message --------From: "Helmut K. C. Tessarek" <tessarek at evermeet.cx> Date: 04/04/2018 09:44 (GMT+02:00) To: dovecot at dovecot.org Subject: Re: issue with sieve forwardin...

...; ExecReload=/usr/bin/kill -HUP $MAINPID > PermissionsStartOnly=true > Restart=always > RestartSec=1 > Nice=19 > > PrivateTmp=yes > PrivateDevices=yes > ProtectKernelTunables=yes > ProtectKernelModules=yes > ProtectControlGroups=yes > MemoryDenyWriteExecute=yes > CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE > CAP_NET_BIND_SERVICE CAP_IPC_LOCK CAP_SYS_CHROOT > > SystemCallFilter=@system-service @network-io @privileged @resources > SystemCallFilter=~@debug @module @mount @reboot >

Hello I am using samba Version 4.11.2 compiled. To start the daemon I using /samba10/samba-4.11.2/bin/samba -s /etc/samba/smb.conf To stop correctly, what is recommended ? Actually I using kill -9 ... Regards.

I?m in the process of upgrading an old server from Fedora 21 to something more modern. Now, Dovecot won?t let any client login to get their email. PAM audit_log_acct_message() failed: Operation not permitted imap-login: Disconnected (AUTH failed, 2 attempts in 10 secs): user=<username>, method=PLAIN, rip=192.168.1.94 lip=192.168.1.94, TLS, session=<sessionid> # 2.3.1 (8e2f634):

...PIDFile=/var/run/dovecot/master.pid ExecReload=/usr/bin/doveadm reload ExecStop=/usr/bin/doveadm stop PrivateTmp=true NonBlocking=yes # this will make /usr /boot /etc read only for dovecot ProtectSystem=full PrivateDevices=true # disable this if you want to use apparmor plugin #NoNewPrivileges=true CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_IPC_LOCK CAP_KILL CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_AUDIT_WRITE # You can add environment variables with e.g.: #Environment='CORE_OUTOFMEM=1' # If you have trouble with `Too many open files' you may set: #Limit...

...start=always RestartSec=1 ____________________________________ [root at srv-rhsoft:~]$ cat /etc/systemd/system/smb.service [Unit] Description=Samba SMB Daemon [Service] Type=forking LimitNOFILE=32768 ExecStart=/usr/sbin/smbd -D Restart=always RestartSec=1 Nice=19 PrivateTmp=yes PrivateDevices=yes CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_KILL CAP_NET_BIND_SERVICE CAP_IPC_LOCK CAP_SYS_CHROOT ReadOnlyDirectories=/etc ReadOnlyDirectories=/usr ReadOnlyDirectories=/var/lib ReadWriteDirectories=/var/lib/samba ReadWriteDirectories=/usr/local -------------- next part -------------- A n...

...68 ExecStart=/usr/sbin/smbd --foreground --no-process-group ExecReload=/usr/bin/kill -HUP $MAINPID PermissionsStartOnly=true Restart=always RestartSec=1 Nice=19 PrivateTmp=yes PrivateDevices=yes ProtectKernelTunables=yes ProtectKernelModules=yes ProtectControlGroups=yes MemoryDenyWriteExecute=yes CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_NET_BIND_SERVICE CAP_IPC_LOCK CAP_SYS_CHROOT SystemCallFilter=@system-service @network-io @privileged @resources SystemCallFilter=~@debug @module @mount @reboot

> From: Reindl Harald > > besides that you did not provide the info "embedded system" - > when you > have systemd you also have "systemctl restart > whatever.service" and in > PHP it would be passthru('command') > > you don't know how you restart a service via CLI - seriously? I know how to do it through systemctl, but I was

Hello, Is anyone running Dovecot on either a Fedora 20 or 21 system? I'm having an issue, on a system reboot, which I admit does not happen often, Dovecot fails to start in the systemctl list, output is status failed. The issue seems to be Dovecot can not bind to the ipv6 address. Now later if I manually log in to the box and start dovecot it works just fine no problems. I've googled and

On 2018-04-05 06:33, Helmut K. C. Tessarek wrote: > On 2018-04-04 23:10, Kevin Cummings wrote: >> PAM audit_log_acct_message() failed: Operation not permitted >> imap-login: Disconnected (AUTH failed, 2 attempts in 10 secs): >> user=<username>, method=PLAIN, rip=192.168.1.94 lip=192.168.1.94, TLS, >> session=<sessionid> > > Please look at my pull

Hello, Am 09.07.2016 um 09:14 schrieb Rowland penny: >> What is the purpose of the option >> * >> **--with-**systemd** >> ****Enable****systemd****integration* >> >> To configure Samba (build). >> > > It is there so that there is also the '--without-systemd' option. > > one turns on systemd integration, the other (thank your deity)

Hello, After I upgrade dovecot 2.2.35 to 2.3.1 and pigeonhole 0.4.23 to 0.5.1 when I use sieve to forward a message to other address using "redirect :copy" I get this: (host server1.myserver.com <http://server1.myserver.com/>[private/dovecot-lmtp] said: 451 4.2.0 <chris at mydomain.com <mailto:chris at mydomain.com>> Execution of Sieve filters was aborted due to

...proper security options [root at srv-rhsoft:~]$ cat /etc/systemd/system/smb.service [Unit] Description=Samba SMB Daemon [Service] Type=forking LimitNOFILE=32768 ExecStart=/usr/sbin/smbd -D ExecReload=/usr/bin/kill -HUP $MAINPID Restart=always RestartSec=1 Nice=19 PrivateTmp=yes PrivateDevices=yes CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_KILL CAP_NET_BIND_SERVICE CAP_IPC_LOCK CAP_SYS_CHROOT SystemCallFilter=~acct modify_ldt add_key adjtimex clock_adjtime delete_module fanotify_init finit_module get_mempolicy init_module io_destroy io_getevents iopl ioperm io_setup io_submit io...

?? Saw the new repository notification, and figured what the heck I would try letting it upgrade me from the current v2.2.22 release that apparently is in the Ubuntu 16.04 packages, to the new repository release of v2.3.0. ?I followed the info on repo.dovecot.org, and first it started bitching about lmtp (dovecot: master: Fatal: service(lmtp) access(/usr/lib/dovecot/lmtp) failed: No such

...tfsd.sock: Operation not permitted libguestfs: clear_socket_create_context: setsockcreatecon failed: NULL: Invalid argument [you can ignore this message if you are not using SELinux + sVirt] libguestfs: trace: launch = -1 (error) failed to launch domain: Invalid argument (Note on the service file: CapabilityBoundingSet is for future development - it seems to make no difference) Best Regards, Peter

...r=network.service [Service] Type=forking LimitNOFILE=32768 ExecStart=/usr/sbin/smbd -D ExecReload=/usr/bin/kill -HUP $MAINPID Restart=always RestartSec=1 Nice=19 PrivateTmp=yes PrivateDevices=yes ProtectKernelTunables=yes ProtectKernelModules=yes ProtectControlGroups=yes MemoryDenyWriteExecute=yes CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_KILL CAP_NET_BIND_SERVICE CAP_IPC_LOCK CAP_SYS_CHROOT SystemCallFilter=~acct modify_ldt add_key adjtimex clock_adjtime delete_module fanotify_init finit_module get_mempolicy init_module io_destroy io_getevents iopl ioperm io_setup io_submit io...