Bug 1468715
| Summary: | mgetty-sendfax / faxrunqd, systemd and running as non-root does not play nice | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Gert Doering <gert> | ||||
| Component: | mgetty | Assignee: | Zdenek Dohnal <zdohnal> | ||||
| Status: | CLOSED WONTFIX | QA Contact: | qe-baseos-daemons | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.0 | CC: | gert, ksrot, msekleta | ||||
| Target Milestone: | rc | Keywords: | Patch | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | |||||||
| : | 1636433 (view as bug list) | Environment: | |||||
| Last Closed: | 2019-03-26 11:22:36 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1534569, 1636433 | ||||||
| Attachments: |
|
||||||
Hi Gert, thank you for reporting this issue, but I am deeply sorry, it will not make it into RHEL 7.4 and probably I will not have enough time for this issue in RHEL-7.5 (if I'll manage to fix it, I fix it, but I cannot say now for sure). For summarization: 1) systemd unit file is needed - we can cooperate on it, because it would be good to have systemd support for faxrunqd. We have systemd unit files for mgetty service and vgetty service, so IMO it would be good if you are able to include them into your upstream project (I mean configurable systemd support) 2) group ownership if mgetty-sendfax/faxrunqd Is it correct? Created attachment 1295915 [details]
systemd unit file for faxruqnd
faxrunqd.service file in use here, which seems to work properly
Hi, I've attached the faxrunqd.service file that our RHEL admin has written. I have zero experience with systemd, so I can not comment on whether it's "the right way" to do things, but I can confirm that it works and makes faxrunqd run properly as non-root user, with all the required access privileges (lock for device locking and dialout for /dev/ttyS0 access). Given that mgetty+sendfax is developed only on systems that do not have systemd (and this is not likely to change in the near future), I cannot reasonably maintain these unit files upstream. Sorry. Hi Kurt! I'm deeply sorry, Red Hat Enterprise Linux version 7 is entering the Production 2 phase of its lifetime and this bug doesn't meet the criteria for it (adding new unit file is actually new feature request, which is not allowed in Production 2 phase), i.e. only high severity issues will be fixed. Please see https://access.redhat.com/support/policy/updates/errata/ for further information. This issue is fixed in Fedora 31 (rawhide) now. |
Description of problem: For a real fax server, you want to run "faxrunqd" as a service (and not faxrunq from crontab) - which starts out with "there is no systemd unit file". This needs some love :-) Then, faxrunqd / sendfax are really intended to run as non-root - there's a "fax" user in the system, and all the spool directories belong to fax, but the device files (/dev/ttyS0) belong to "root:dialout" and the tty lock directory /var/lock/lockdev aka /run/lock/lockdev belongs to "root:lock", both not world-writeable - so, if faxrunqd/sendfax do run as user "fax", it would either be able to access the serial device, or be able to lock it, but not both at the same time. Auxiliary groups would solve this (have "fax" belong to both "dialout" and "lock"), but as of today, "fax" is only member of the "fax" group... Version-Release number of selected component (if applicable): mgetty-1.1.36-28.el7.src.rpm mgetty-sendfax-1.1.36-28.el7.x86_64 How reproducible: Try to run "faxrunqd" as user fax, and send a fax to a real modem. Steps to Reproduce: 1. 2. 3. Actual results: It fails locking or accessing the device, depending of the group you tell system d to use ("Group=..." setting in the systemd service file) Expected results: "fax goes out" Additional info: I'm the upstream author, and I'm happy to help with any clarification needed. I apologize that I'm not very well versed in using RHEL/CentOS, so anything "I should have known and checked" I might not have been aware of. I did my best to figure out how things should be used, and that's the result...