我正在使用 systemd 253.5,我的目标是通过使用DynamicUser=
.该装置使用 GNU Mailutils 3.15 通过该mail
命令发送电子邮件。
[[email protected]:~]# systemctl cat [email protected]
# /etc/systemd/system/[email protected]
[Unit]
After=network.target
Description=Unit Status Mail Notifier
[Service]
Environment="LOCALE_ARCHIVE=/nix/store/5l0qzzkb3r3yxygdq3688fjcc18lwg3j-glibc-locales-2.37-8/lib/locale/locale-archive"
Environment="PATH=/nix/store/n0wyrb99dxinh0y6rjixmqdgvbm57fa6-mailutils-3.15/bin:/nix/store/f11ibsj5vmqcy8ihfa8mzvpfs4af7cw5-coreutils-9.1/bin:/nix/store/jvh4fbqfxwwn162k5hb8ndc4h5555wfa-findutils-4.9.0/bin:/nix/store/rn5b13lbsslbvmmbqnqxdcagzqp4435w-gnugrep-3.7/bin:/nix/store/w64nwxs3r6cyqgy6ssxib5i2r6k8yfc2-gnused-4.9/bin:/nix/store/8lgs0dqh9ks1164fp4g14gq7w1ihjbf0-systemd-253.5/bin:/nix/store/n0wyrb99dxinh0y6rjixmqdgvbm57fa6-mailutils-3.15/sbin:/nix/store/f11ibsj5vmqcy8ihfa8mzvpfs4af7cw5-coreutils-9.1/sbin:/nix/store/jvh4fbqfxwwn162k5hb8ndc4h5555wfa-findutils-4.9.0/sbin:/nix/store/rn5b13lbsslbvmmbqnqxdcagzqp4435w-gnugrep-3.7/sbin:/nix/store/w64nwxs3r6cyqgy6ssxib5i2r6k8yfc2-gnused-4.9/sbin:/nix/store/8lgs0dqh9ks1164fp4g14gq7w1ihjbf0-systemd-253.5/sbin"
Environment="TZDIR=/nix/store/4faw3w020cjxvd1dnxhg73mi10wcxvpw-tzdata-2023c/share/zoneinfo"
CapabilityBoundingSet=
ExecStart=/nix/store/1asmwq09fdn42k8rw09ps3jwsq6b0pqf-unit-status-mail/bin/unit-status-mail "[email protected]" "[email protected]" %I \
" Pretty hostname: Server 1" \
" Authoritative FQDN: server1.example.com" \
" Machine ID: %m" \
" Boot ID: %b"
IPAddressDeny=any
LockPersonality=true
MemoryDenyWriteExecute=true
PrivateDevices=true
PrivateNetwork=true
PrivateTmp=true
ProtectControlGroups=true
ProtectHostname=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
RemoveIPC=true
RestrictAddressFamilies=AF_UNIX
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service
SystemCallFilter=~@privileged
SystemCallFilter=~@resources
Type=simple
UMask=0077
[[email protected]:~]# cat /nix/store/1asmwq09fdn42k8rw09ps3jwsq6b0pqf-unit-status-mail/bin/unit-status-mail
#!/nix/store/7q1b1bsmxi91zci6g8714rcljl620y7f-bash-5.2-p15/bin/bash
MAILTO="$1"
MAILFROM="$2"
UNIT="$3"
EXTRA=""
for e in "${@:4}"; do
EXTRA+="$e"$'\n'
done
UNITSTATUS="$(systemctl status $UNIT)"
mail \
--content-type 'text/plain; charset=utf-8' \
--append=From:"$MAILFROM" \
--subject="Status for unit: $UNIT" \
"$MAILTO" <<EOF
Status report for unit: $UNIT
$EXTRA
$UNITSTATUS
EOF
DynamicUser=
暗示ProtectSystem=strict
这会阻止我的设备使用 GNU Mailutils 3.15: 发送电子邮件mail: cannot send message: Process exited with a non-zero status
。有了ProtectSystem=full
它效果很好。
我想我可以用来ReadWritePaths=
让它再次工作,但我不知道需要什么路径。
systemd 单元需要哪些路径才能让 GNU Mailutils 工作?