On 2018-04-05 02:34, B. Reino wrote:
This way the fix survives any updates and you don't have to mess with package-provided files.
You'd also have to add the following:
CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_IPC_LOCK CAP_KILL CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_AUDIT_WRITE
It won't work without CAP_AUDIT_WRITE, even, if NoNewPrivileges is set to false, at least not on my server.
But as I've mentioned this _could_ be counterproductive if in the future the systemd file that comes with dovecot is changed and you forget to delete /etc/systemd/system/dovecot.service.d/NoNewPrivileges.conf again.
-- regards Helmut K. C. Tessarek KeyID 0x172380A011EF4944 Key fingerprint = 8A55 70C1 BD85 D34E ADBC 386C 1723 80A0 11EF 4944
/* Thou shalt not follow the NULL pointer for chaos and madness await thee at its end. */