Red Hat Bugzilla – Bug 1468715
mgetty-sendfax / faxrunqd, systemd and running as non-root does not play nice
Last modified: 2017-07-19 06:57:39 EDT
Description of problem:
For a real fax server, you want to run "faxrunqd" as a service (and not faxrunq from crontab) - which starts out with "there is no systemd unit file". This needs some love :-)
Then, faxrunqd / sendfax are really intended to run as non-root - there's a "fax" user in the system, and all the spool directories belong to fax, but the device files (/dev/ttyS0) belong to "root:dialout" and the tty lock directory /var/lock/lockdev aka /run/lock/lockdev belongs to "root:lock", both not world-writeable - so, if faxrunqd/sendfax do run as user "fax", it would either be able to access the serial device, or be able to lock it, but not both at the same time.
Auxiliary groups would solve this (have "fax" belong to both "dialout" and "lock"), but as of today, "fax" is only member of the "fax" group...
Version-Release number of selected component (if applicable):
Try to run "faxrunqd" as user fax, and send a fax to a real modem.
Steps to Reproduce:
It fails locking or accessing the device, depending of the group you tell system
d to use ("Group=..." setting in the systemd service file)
"fax goes out"
I'm the upstream author, and I'm happy to help with any clarification needed. I apologize that I'm not very well versed in using RHEL/CentOS, so anything "I should have known and checked" I might not have been aware of. I did my best to figure out how things should be used, and that's the result...
thank you for reporting this issue, but I am deeply sorry, it will not make it into RHEL 7.4 and probably I will not have enough time for this issue in RHEL-7.5 (if I'll manage to fix it, I fix it, but I cannot say now for sure).
1) systemd unit file is needed - we can cooperate on it, because it would be good to have systemd support for faxrunqd. We have systemd unit files for mgetty service and vgetty service, so IMO it would be good if you are able to include them into your upstream project (I mean configurable systemd support)
2) group ownership if mgetty-sendfax/faxrunqd
Is it correct?
Created attachment 1295915 [details]
systemd unit file for faxruqnd
faxrunqd.service file in use here, which seems to work properly
I've attached the faxrunqd.service file that our RHEL admin has written.
I have zero experience with systemd, so I can not comment on whether it's "the right way" to do things, but I can confirm that it works and makes faxrunqd run properly as non-root user, with all the required access privileges (lock for device locking and dialout for /dev/ttyS0 access).
Given that mgetty+sendfax is developed only on systems that do not have systemd (and this is not likely to change in the near future), I cannot reasonably maintain these unit files upstream. Sorry.