Hi,
I'm trying to write a service file for a daemon and having some
problems. I believe the issue is with the ability to give the process
write and read access to parts of the filesystem which appear to
somehow be restricted.
The daemon is the Avira virus scanner, which runs under amavisd-new.
The daemon's home directory is
/usr/local/savapi-sdk-linux_glibc24_x86_64, and it needs write access
in the modules directory.
The daemon can run as root or as the amavis user. It drops its
privileges to the amavis user after starting anyway.
Here is what I have so far:
# cat /etc/systemd/system/savapi.service
[Unit]
Description=Avira Antivirus SDK
Documentation=http://www.ijs.si/software/amavisd/#doc
After=network.target
Wants=clamd(a)amavisd.service
Wants=postfix.service
RequiresMountsFor="/usr/local/savapi-sdk-linux_glibc24_x86_64"
[Service]
Type=forking
User=amavis
Group=amavis
PIDFile=/var/run/amavisd/savapi.pid
ExecStart=/var/spool/amavisd/savapi.sh start
ExecReload=/var/spool/amavisd/savapi.sh reload
Restart=on-failure
#PrivateTmp=
PrivateDevices=false
CapabilityBoundingSet=
ProtectSystem=full
ProtectHome=true
[Install]
WantedBy=multi-user.target
I've specified "RequiresMountsFor", which I understood could be used
to provide access to parts of the filesystem. I've also disabled
PrivateTmp and PrivateDevices.
The ExecStart script just spawns the savapi daemon:
#!/bin/bash
cd /usr/local/savapi-sdk-linux_glibc24_x86_64/bin
./savapi --config=savapi.conf &
When I attempt to start the service, journalctl -xe shows me:
Validation failed for option 'ModulesDir' with value
'/usr/local/savapi-sdk-linux_glibc24_x86_64/modules'. Path cannot be
accessed (no write permission).
ModulesDir is /usr/local/savapi-sdk-linux_glibc24_x86_64/modules
When I run the script manually as root or as the amavis user, it runs
successfully.
I think the problem is that I don't understand how systemd processes
access the filesystem and the restrictions on permissions.
Any ideas greatly appreciated.
Thanks,
Alex