From 21de9e6f66c09dd89aa034b081471003f10ef2c4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Sachse?= <joerg.sachse@slub-dresden.de>
Date: Wed, 25 Jan 2023 14:34:49 +0100
Subject: [PATCH] fix: disable SystemD protections, as they don't work with
 Exim4 and prevent mail notifications from being sent (see SubApp Issue #147
 for details, thx @steidl @romeyke @heide)

---
 templates/etc/systemd/user/disapp.service.j2  | 24 +++++++++--------
 templates/etc/systemd/user/subapp.service.j2  | 24 +++++++++--------
 .../webservice_status_SLUBarchiv.service.j2   | 26 ++++++++++---------
 3 files changed, 40 insertions(+), 34 deletions(-)

diff --git a/templates/etc/systemd/user/disapp.service.j2 b/templates/etc/systemd/user/disapp.service.j2
index f5c1e24..e2ac5a5 100644
--- a/templates/etc/systemd/user/disapp.service.j2
+++ b/templates/etc/systemd/user/disapp.service.j2
@@ -41,17 +41,19 @@ OOMScoreAdjust=-900
 # documented at "man (5) systemd.exec" and
 # https://www.freedesktop.org/software/systemd/man/systemd.exec.html
 # DEACTIVATED FOR DEBIAN 10, AS SYSTEMD DOESN'T SEEM TO SUPPORT THEM YET.
-ProtectSystem=full
-ProtectHostname=true
-ProtectClock=true
-ProtectKernelTunables=true
-ProtectKernelModules=true
-ProtectKernelLogs=true
-ProtectControlGroups=true
-LockPersonality=true
-#MemoryDenyWriteExecute=true
-RestrictRealtime=true
-RestrictSUIDSGID=true
+# KEEP DEACTIVATED IF YOU WANT TO SEND EMAILS! EXIM DOESN'T WORK WITH
+# ANY OF THESE SETTINGS IN PLACE!
+#ProtectSystem=full
+#ProtectHostname=true
+#ProtectClock=true
+#ProtectKernelTunables=true
+#ProtectKernelModules=true
+#ProtectKernelLogs=true
+#ProtectControlGroups=true
+#LockPersonality=true
+##MemoryDenyWriteExecute=true
+#RestrictRealtime=true
+#RestrictSUIDSGID=true
 ## RemoveIPC=true
 ## PrivateMounts=true
 ## MountFlags=
diff --git a/templates/etc/systemd/user/subapp.service.j2 b/templates/etc/systemd/user/subapp.service.j2
index 191a235..984963f 100644
--- a/templates/etc/systemd/user/subapp.service.j2
+++ b/templates/etc/systemd/user/subapp.service.j2
@@ -39,18 +39,20 @@ OOMScoreAdjust=-900
 ### Security features
 # documented at "man (5) systemd.exec" and
 # https://www.freedesktop.org/software/systemd/man/systemd.exec.html
-ProtectSystem=full
+# KEEP DEACTIVATED IF YOU WANT TO SEND EMAILS! EXIM DOESN'T WORK WITH
+# ANY OF THESE SETTINGS IN PLACE!
+#ProtectSystem=full
 ## ProtectHome=read-only
-ProtectHostname=true
-ProtectClock=true
-ProtectKernelTunables=true
-ProtectKernelModules=true
-ProtectKernelLogs=true
-ProtectControlGroups=true
-LockPersonality=true
-#MemoryDenyWriteExecute=true
-RestrictRealtime=true
-RestrictSUIDSGID=true
+#ProtectHostname=true
+#ProtectClock=true
+#ProtectKernelTunables=true
+#ProtectKernelModules=true
+#ProtectKernelLogs=true
+#ProtectControlGroups=true
+#LockPersonality=true
+##MemoryDenyWriteExecute=true
+#RestrictRealtime=true
+#RestrictSUIDSGID=true
 ## RemoveIPC=true
 ## PrivateMounts=true
 ## MountFlags=
diff --git a/templates/etc/systemd/user/webservice_status_SLUBarchiv.service.j2 b/templates/etc/systemd/user/webservice_status_SLUBarchiv.service.j2
index 6cbf9d2..bd5a1c1 100644
--- a/templates/etc/systemd/user/webservice_status_SLUBarchiv.service.j2
+++ b/templates/etc/systemd/user/webservice_status_SLUBarchiv.service.j2
@@ -13,18 +13,20 @@ User={{ vault_subapp_user }}
 ### Security features
 # documented at https://www.freedesktop.org/software/systemd/man/systemd.exec.html
 # DEACTIVATED FOR DEBIAN 10, AS SYSTEMD DOESN'T SEEM TO SUPPORT THEM YET.
-ProtectSystem=full
-#ProtectHome=read-only
-ProtectHostname=true
-ProtectClock=true
-ProtectKernelTunables=true
-ProtectKernelModules=true
-ProtectKernelLogs=true
-ProtectControlGroups=true
-LockPersonality=true
-#MemoryDenyWriteExecute=true
-RestrictRealtime=true
-RestrictSUIDSGID=true
+# KEEP DEACTIVATED IF YOU WANT TO SEND EMAILS! EXIM DOESN'T WORK WITH
+# ANY OF THESE SETTINGS IN PLACE!
+#ProtectSystem=full
+##ProtectHome=read-only
+#ProtectHostname=true
+#ProtectClock=true
+#ProtectKernelTunables=true
+#ProtectKernelModules=true
+#ProtectKernelLogs=true
+#ProtectControlGroups=true
+#LockPersonality=true
+##MemoryDenyWriteExecute=true
+#RestrictRealtime=true
+#RestrictSUIDSGID=true
 ## RemoveIPC=true
 ## PrivateMounts=true
 ## MountFlags=
-- 
GitLab