AW: sudo in av_scanner script: effective uid is not 0

Andreas B├╝the abuethe at novomind.com
Fri Jul 20 17:36:29 CEST 2018


> On Jul 17, 2018, at 11:54, Dusan Obradovic <dusan at euracks.net> wrote:
> 
> Systemd unit file from epel has some interesting security settings.
> 
> /usr/lib/systemd/system/amavisd.service:
> 
> #the bounding set is reset to the empty capability set CapabilityBoundingSet=
> 
> #mounts /usr /boot /etc directories read-only for processes invoked by this unit ProtectSystem=full

You're a lifesaver, I never would have thought about this.

Solved using the following changes:
$ systemctl edit amavisd
[Service]
CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_AUDIT_WRITE CAP_SYS_RESOURCE CAP_DAC_OVERRIDE

$ systemctl restart amavisd

Thank you very much.


More information about the amavis-users mailing list