XPost: linux.debian.devel.release
From: bage@debian.org
This is a multi-part MIME message sent by reportbug.
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: xfsprogs@packages.debian.org
Control: affects -1 + src:xfsprogs
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
xfs_scrub_fail email reporting fails, which is documented as #1116595.
This is specific to a mail setup that I do not use.
[ Impact ]
"Permission denied" entries spam the system logs:
postfix/postdrop[37291]: warning: mail_queue_enter: create file
aildrop/480926.37291: Permission denied
This is due to systemd sandboxing features in xfs_scrub_all_fail.service
not aligning with the sendmail setup.
[ Tests ]
Check the xfs_scrub_all_fail.service to run properly.
I do not have the time to replicate the bug-described setup. Sorry.
[ Risks ]
This is taking away sandboxing features that are too strict for this
type of service.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in stable
[x] the issue is verified as fixed in unstable
[ Changes ]
New patch changes one file and comes from upstream.
This removes systemd sandboxing features that are too strict,
especially CapabilityBoundingSet= and NoNewPrivileges=true.
[ Other info ]
The service can just be disabled (the feature does not work with trixie
anyway) but people really want a stable update.
diff -Nru xfsprogs-6.13.0/debian/changelog xfsprogs-6.13.0/debian/changelog
--- xfsprogs-6.13.0/debian/changelog 2025-02-23 15:32:04.000000000 +0100
+++ xfsprogs-6.13.0/debian/changelog 2026-02-20 17:32:00.000000000 +0100
@@ -1,3 +1,10 @@
+xfsprogs (6.13.0-2+deb13u1) trixie; urgency=medium
+
+ * xfs_scrub_fail: reduce security lockdowns to avoid postfix problems
+ (Closes: #1116595)
+
+ -- Bastian Germann Fri, 20 Feb 2026 17:32:00 +0100
+
xfsprogs (6.13.0-2) unstable; urgency=medium
* Patch: mkfs: Correct filesize declaration
diff -Nru xfsprogs-6.13.0/debian/patches/series xfsprogs-6.13.0/
ebian/patches/series
--- xfsprogs-6.13.0/debian/patches/series 2025-02-23 15:20:24.000000000 +0100
+++ xfsprogs-6.13.0/debian/patches/series 2026-02-20 17:29:24.000000000 +0100
@@ -1 +1,2 @@
mkfs-Correct-filesize-declaration.patch
+xfs_scrub_fail-reduce-security-lockdowns.patch
diff -Nru xfsprogs-6.13.0/debian/patches/xfs_scrub_fail-reduce-s
curity-lockdowns.patch xfsprogs-6.13.0/debian/patches/xfs_scrub_
ail-reduce-security-lockdowns.patch
--- xfsprogs-6.13.0/debian/patches/xfs_scrub_fail-reduce-securit
-lockdowns.patch 1970-01-01 01:00:00.000000000 +0100
+++ xfsprogs-6.13.0/debian/patches/xfs_scrub_fail-reduce-securit
-lockdowns.patch 2026-02-20 17:27:35.000000000 +0100
@@ -0,0 +1,101 @@
+From 15fd6fc686d5ce7640e46d44f6fa018413ce1b64 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong"
+Date: Mon, 13 Oct 2025 16:34:24 -0700
+Subject: [PATCH] xfs_scrub_fail: reduce security lockdowns to avoid postfix
+ problems
+
+Iustin Pop reports that the xfs_scrub_fail service fails to email
+problem reports on Debian when postfix is installed. This is apparently
+due to several factors:
+
+1. postfix's sendmail wrapper calling postdrop directly,
+2. postdrop requiring the ability to write to the postdrop group,
+3. lockdown preventing the xfs_scrub_fail@ service to have postdrop in
+ the supplemental group list or the ability to run setgid programs
+
+Item (3) could be solved by adding the whole service to the postdrop
+group via SupplementalGroups=, but that will fail if postfix is not
+installed and hence there is no postdrop group.
+
+It could also be solved by forcing msmtp to be installed, bind mounting
+msmtp into the service container, and injecting a config file that
+instructs msmtp to connect to port 25, but that in turn isn't compatible
+with systems not configured to allow an smtp server to listen on ::1.
+
+So we'll go with the less restrictive approach that e2scrub_fail@ does,
+which is to say that we just turn off all the sandboxing. :( :(
+
+Reported-by: iustin@debian.org
+Cc: linux-xfs@vger.kernel.org # v6.10.0
+Fixes: 9042fcc08eed6a ("xfs_scrub_fail: tighten up the security on the
background systemd service")
+Signed-off-by: Darrick J. Wong
+Reviewed-by: Andrey Albershteyn
+---
+ scrub/xfs_scrub_fail@.service.in | 57 ++------------------------------
+ 1 file changed, 3 insertions(+), 54 deletions(-)
+
+diff --git a/scrub/xfs_scrub_fail@.service.in b/scrub/xfs_scrub
fail@.service.in
+index 16077888..1e205768 100644
+--- a/scrub/xfs_scrub_fail@.service.in
++++ b/scrub/xfs_scrub_fail@.service.in
+@@ -19,57 +19,6 @@ SupplementaryGroups=systemd-journal
+ # can control resource usage.
+ Slice=system-xfs_scrub.slice
+
+-# No realtime scheduling
+-RestrictRealtime=true
+-
+-# Make the entire filesystem readonly and /home inaccessible.
+-ProtectSystem=full
+-ProtectHome=yes
+-PrivateTmp=true
+-RestrictSUIDSGID=true
+-
+-# Emailing reports requires network access, but not the ability to change the
+-# hostname.
+-ProtectHostname=true
+-
+-# Don't let the program mess with the kernel configuration at all
+-ProtectKernelLogs=true
+-ProtectKernelModules=true
+-ProtectKernelTunables=true
+-ProtectControlGroups=true
+-ProtectProc=invisible
+-RestrictNamespaces=true
+-
+-# Can't hide /proc because journalctl needs it to find various pieces of log
+-# information
+-#ProcSubset=pid
+-
+-# Only allow the default personality Linux
+-LockPersonality=true
+-
+-# No writable memory pages
+-MemoryDenyWriteExecute=true
+-
+-# Don't let our mounts leak out to the host
+-PrivateMounts=true
+-
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)
|
