Bug 1468715 - mgetty-sendfax / faxrunqd, systemd and running as non-root does not play nice
mgetty-sendfax / faxrunqd, systemd and running as non-root does not play nice
Status: NEW
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: mgetty (Show other bugs)
7.0
All Linux
unspecified Severity medium
: rc
: ---
Assigned To: Zdenek Dohnal
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-07 13:28 EDT by Gert Doering
Modified: 2017-07-19 06:57 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
systemd unit file for faxruqnd (340 bytes, text/plain)
2017-07-10 14:17 EDT, Gert Doering
no flags Details

  None (edit)
Description Gert Doering 2017-07-07 13:28:53 EDT
Description of problem:

For a real fax server, you want to run "faxrunqd" as a service (and not faxrunq from crontab) - which starts out with "there is no systemd unit file".  This needs some love :-)

Then, faxrunqd / sendfax are really intended to run as non-root - there's a "fax" user in the system, and all the spool directories belong to fax, but the device files (/dev/ttyS0) belong to "root:dialout" and the tty lock directory /var/lock/lockdev aka /run/lock/lockdev belongs to "root:lock", both not world-writeable - so, if faxrunqd/sendfax do run as user "fax", it would either be able to access the serial device, or be able to lock it, but not both at the same time.

Auxiliary groups would solve this (have "fax" belong to both "dialout" and "lock"), but as of today, "fax" is only member of the "fax" group...
 
 
Version-Release number of selected component (if applicable):
 
mgetty-1.1.36-28.el7.src.rpm
mgetty-sendfax-1.1.36-28.el7.x86_64

How reproducible:

Try to run "faxrunqd" as user fax, and send a fax to a real modem.


Steps to Reproduce:
1.
2.
3.

Actual results:

It fails locking or accessing the device, depending of the group you tell system
d to use ("Group=..." setting in the systemd service file)
 
Expected results:
 
"fax goes out"

Additional info:

I'm the upstream author, and I'm happy to help with any clarification needed.  I apologize that I'm not very well versed in using RHEL/CentOS, so anything "I should have known and checked" I might not have been aware of.  I did my best to figure out how things should be used, and that's the result...
Comment 2 Zdenek Dohnal 2017-07-10 06:54:24 EDT
Hi Gert,

thank you for reporting this issue, but I am deeply sorry, it will not make it into RHEL 7.4 and probably I will not have enough time for this issue in RHEL-7.5 (if I'll manage to fix it, I fix it, but I cannot say now for sure).

For summarization:

1) systemd unit file is needed - we can cooperate on it, because it would be good to have systemd support for faxrunqd. We have systemd unit files for mgetty service and vgetty service, so IMO it would be good if you are able to include them into your upstream project (I mean configurable systemd support)

2) group ownership if mgetty-sendfax/faxrunqd

Is it correct?
Comment 3 Gert Doering 2017-07-10 14:17 EDT
Created attachment 1295915 [details]
systemd unit file for faxruqnd

faxrunqd.service file in use here, which seems to work properly
Comment 4 Gert Doering 2017-07-10 14:22:06 EDT
Hi,

I've attached the faxrunqd.service file that our RHEL admin has written.

I have zero experience with systemd, so I can not comment on whether it's "the right way" to do things, but I can confirm that it works and makes faxrunqd run properly as non-root user, with all the required access privileges (lock for device locking and dialout for /dev/ttyS0 access).

Given that mgetty+sendfax is developed only on systems that do not have systemd (and this is not likely to change in the near future), I cannot reasonably maintain these unit files upstream.  Sorry.

Note You need to log in before you can comment on or make changes to this bug.