fix: disable SystemD protections, as they don't work with Exim4 and prevent...

fix: disable SystemD protections, as they don't work with Exim4 and prevent mail notifications from being sent (see SubApp Issue #147 for details, thx @steidl @romeyke @heide)

fix: disable SystemD protections, as they don't work with Exim4 and prevent...
21de9e6f · Jörg Sachse · 83949068 · 21de9e6f · 21de9e6f · 21de9e6f
Commit 21de9e6f authored 2 years ago by Jörg Sachse
--- a/templates/etc/systemd/user/disapp.service.j2
+++ b/templates/etc/systemd/user/disapp.service.j2
@@ -41,17 +41,19 @@ OOMScoreAdjust=-900
 # documented at "man (5) systemd.exec" and
 # https://www.freedesktop.org/software/systemd/man/systemd.exec.html
 # DEACTIVATED FOR DEBIAN 10, AS SYSTEMD DOESN'T SEEM TO SUPPORT THEM YET.
-ProtectSystem=full
-ProtectHostname=true
-ProtectClock=true
-ProtectKernelTunables=true
-ProtectKernelModules=true
-ProtectKernelLogs=true
-ProtectControlGroups=true
-LockPersonality=true
-#MemoryDenyWriteExecute=true
-RestrictRealtime=true
-RestrictSUIDSGID=true
+# KEEP DEACTIVATED IF YOU WANT TO SEND EMAILS! EXIM DOESN'T WORK WITH
+# ANY OF THESE SETTINGS IN PLACE!
+#ProtectSystem=full
+#ProtectHostname=true
+#ProtectClock=true
+#ProtectKernelTunables=true
+#ProtectKernelModules=true
+#ProtectKernelLogs=true
+#ProtectControlGroups=true
+#LockPersonality=true
+##MemoryDenyWriteExecute=true
+#RestrictRealtime=true
+#RestrictSUIDSGID=true
 ## RemoveIPC=true
 ## PrivateMounts=true
 ## MountFlags=

--- a/templates/etc/systemd/user/subapp.service.j2
+++ b/templates/etc/systemd/user/subapp.service.j2
@@ -39,18 +39,20 @@ OOMScoreAdjust=-900
 ### Security features
 # documented at "man (5) systemd.exec" and
 # https://www.freedesktop.org/software/systemd/man/systemd.exec.html
-ProtectSystem=full
+# KEEP DEACTIVATED IF YOU WANT TO SEND EMAILS! EXIM DOESN'T WORK WITH
+# ANY OF THESE SETTINGS IN PLACE!
+#ProtectSystem=full
 ## ProtectHome=read-only
-ProtectHostname=true
-ProtectClock=true
-ProtectKernelTunables=true
-ProtectKernelModules=true
-ProtectKernelLogs=true
-ProtectControlGroups=true
-LockPersonality=true
-#MemoryDenyWriteExecute=true
-RestrictRealtime=true
-RestrictSUIDSGID=true
+#ProtectHostname=true
+#ProtectClock=true
+#ProtectKernelTunables=true
+#ProtectKernelModules=true
+#ProtectKernelLogs=true
+#ProtectControlGroups=true
+#LockPersonality=true
+##MemoryDenyWriteExecute=true
+#RestrictRealtime=true
+#RestrictSUIDSGID=true
 ## RemoveIPC=true
 ## PrivateMounts=true
 ## MountFlags=

--- a/templates/etc/systemd/user/webservice_status_SLUBarchiv.service.j2
+++ b/templates/etc/systemd/user/webservice_status_SLUBarchiv.service.j2
@@ -13,18 +13,20 @@ User={{ vault_subapp_user }}
 ### Security features
 # documented at https://www.freedesktop.org/software/systemd/man/systemd.exec.html
 # DEACTIVATED FOR DEBIAN 10, AS SYSTEMD DOESN'T SEEM TO SUPPORT THEM YET.
-ProtectSystem=full
-#ProtectHome=read-only
-ProtectHostname=true
-ProtectClock=true
-ProtectKernelTunables=true
-ProtectKernelModules=true
-ProtectKernelLogs=true
-ProtectControlGroups=true
-LockPersonality=true
-#MemoryDenyWriteExecute=true
-RestrictRealtime=true
-RestrictSUIDSGID=true
+# KEEP DEACTIVATED IF YOU WANT TO SEND EMAILS! EXIM DOESN'T WORK WITH
+# ANY OF THESE SETTINGS IN PLACE!
+#ProtectSystem=full
+##ProtectHome=read-only
+#ProtectHostname=true
+#ProtectClock=true
+#ProtectKernelTunables=true
+#ProtectKernelModules=true
+#ProtectKernelLogs=true
+#ProtectControlGroups=true
+#LockPersonality=true
+##MemoryDenyWriteExecute=true
+#RestrictRealtime=true
+#RestrictSUIDSGID=true
 ## RemoveIPC=true
 ## PrivateMounts=true
 ## MountFlags=