<---- template headericclude ----->
Writing a systemd service file and permission problems
FedoraForum.org - Fedora Support Forums and Community
Results 1 to 4 of 4
  1. #1
    Join Date
    Oct 2011
    Posts
    254
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    Writing a systemd service file and permission problems

    Hi,
    I'm trying to write a service file for a daemon and having some
    problems. I believe the issue is with the ability to give the process
    write and read access to parts of the filesystem which appear to
    somehow be restricted.

    The daemon is the Avira virus scanner, which runs under amavisd-new.

    The daemon's home directory is
    /usr/local/savapi-sdk-linux_glibc24_x86_64, and it needs write access
    in the modules directory.

    The daemon can run as root or as the amavis user. It drops its
    privileges to the amavis user after starting anyway.

    Here is what I have so far:

    # cat /etc/systemd/system/savapi.service
    [Unit]
    Description=Avira Antivirus SDK
    Documentation=http://www.ijs.si/software/amavisd/#doc
    After=network.target
    Wants=clamd@amavisd.service
    Wants=postfix.service
    RequiresMountsFor="/usr/local/savapi-sdk-linux_glibc24_x86_64"

    [Service]
    Type=forking
    User=amavis
    Group=amavis
    PIDFile=/var/run/amavisd/savapi.pid
    ExecStart=/var/spool/amavisd/savapi.sh start
    ExecReload=/var/spool/amavisd/savapi.sh reload
    Restart=on-failure
    #PrivateTmp=
    PrivateDevices=false
    CapabilityBoundingSet=
    ProtectSystem=full
    ProtectHome=true

    [Install]
    WantedBy=multi-user.target

    I've specified "RequiresMountsFor", which I understood could be used
    to provide access to parts of the filesystem. I've also disabled
    PrivateTmp and PrivateDevices.

    The ExecStart script just spawns the savapi daemon:

    #!/bin/bash
    cd /usr/local/savapi-sdk-linux_glibc24_x86_64/bin
    ./savapi --config=savapi.conf &

    When I attempt to start the service, journalctl -xe shows me:
    Validation failed for option 'ModulesDir' with value
    '/usr/local/savapi-sdk-linux_glibc24_x86_64/modules'. Path cannot be
    accessed (no write permission).

    ModulesDir is /usr/local/savapi-sdk-linux_glibc24_x86_64/modules

    When I run the script manually as root or as the amavis user, it runs
    successfully.

    I think the problem is that I don't understand how systemd processes
    access the filesystem and the restrictions on permissions.

    Any ideas greatly appreciated.
    Thanks,
    Alex

  2. #2
    Join Date
    Oct 2011
    Posts
    254
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    Re: Writing a systemd service file and permission problems

    The problem turned out to be an inability for a systemd process to write to /usr/local. Changing the daemon's home to /var/lib/daemon-name worked.

    If anyone knows what is preventing the process from writing to /usr/local, I'd appreciate. SELinux is disabled at boot for now, so that's not the problem

  3. #3
    Join Date
    Aug 2014
    Location
    Esbo, Finland
    Posts
    2
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: Writing a systemd service file and permission problems

    It is the

    ProtectSystem=full

    that prevents writing to anything in /usr including /usr/local

    Running into this myself with dovecot when we have the company mailboxes in
    /usr/local/var/mail ...

    And every update overwrites my dovecot.service, sigh.

    Systemd is a bloated interfering elephant and should be killed on sight....

  4. #4
    Join Date
    Jun 2007
    Location
    Lytham St Annes, Lancashire, UK
    Posts
    687
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: Writing a systemd service file and permission problems

    @DgaNygren - where is your "dovecot.service" file saved? If you put it under /etc/systemd/service, it should always be used instead of any file of the same name under /usr/lib/systemd/service and never be overwritten by updates.

    Have a look at the Examples at the end "man systemd.user" page. "Bloated interfering elephant"? - systemd may well be, but it is easier to try and work with it than push it in another direction!

    This seems to be the way Fedora is heading on a number of components - default configuration under /usr/lib/<package>/ or /usr/share/<package>/, user customisation under /etc/<package>/.

Similar Threads

  1. Where do I put systemd .service file in the rpm.spec
    By bjrosen in forum Programming & Packaging
    Replies: 2
    Last Post: 6th September 2016, 02:04 PM
  2. systemd user service manager support (systemd --user)
    By survient in forum Using Fedora
    Replies: 2
    Last Post: 5th December 2013, 04:52 PM
  3. Writing new systemd service. How to STOP kdm daemon?
    By charlweed in forum Using Fedora
    Replies: 0
    Last Post: 1st August 2011, 09:58 PM
  4. [SOLVED]
    FC14 file permission problems
    By andrea.delbravo in forum Using Fedora
    Replies: 1
    Last Post: 19th April 2011, 07:28 AM
  5. Writing your own service
    By akvino in forum Using Fedora
    Replies: 0
    Last Post: 20th November 2009, 11:24 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
[[template footer(Guest)]]