AW: sudo in av_scanner script: effective uid is not 0
Andreas Büthe
abuethe at novomind.com
Fri Jul 20 17:36:29 CEST 2018
> On Jul 17, 2018, at 11:54, Dusan Obradovic <dusan at euracks.net> wrote:
>
> Systemd unit file from epel has some interesting security settings.
>
> /usr/lib/systemd/system/amavisd.service:
>
> #the bounding set is reset to the empty capability set CapabilityBoundingSet=
>
> #mounts /usr /boot /etc directories read-only for processes invoked by this unit ProtectSystem=full
You're a lifesaver, I never would have thought about this.
Solved using the following changes:
$ systemctl edit amavisd
[Service]
CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_AUDIT_WRITE CAP_SYS_RESOURCE CAP_DAC_OVERRIDE
$ systemctl restart amavisd
Thank you very much.
More information about the amavis-users
mailing list