Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected] Control: affects -1 + src:xfsprogs User: [email protected] Usertags: pu
[ Reason ] xfs_scrub_fail email reporting fails, which is documented as #1116595. This is specific to a mail setup that I do not use. [ Impact ] "Permission denied" entries spam the system logs: postfix/postdrop[37291]: warning: mail_queue_enter: create file maildrop/480926.37291: Permission denied This is due to systemd sandboxing features in xfs_scrub_all_fail.service not aligning with the sendmail setup. [ Tests ] Check the xfs_scrub_all_fail.service to run properly. I do not have the time to replicate the bug-described setup. Sorry. [ Risks ] This is taking away sandboxing features that are too strict for this type of service. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in stable [x] the issue is verified as fixed in unstable [ Changes ] New patch changes one file and comes from upstream. This removes systemd sandboxing features that are too strict, especially CapabilityBoundingSet= and NoNewPrivileges=true. [ Other info ] The service can just be disabled (the feature does not work with trixie anyway) but people really want a stable update.
diff -Nru xfsprogs-6.13.0/debian/changelog xfsprogs-6.13.0/debian/changelog --- xfsprogs-6.13.0/debian/changelog 2025-02-23 15:32:04.000000000 +0100 +++ xfsprogs-6.13.0/debian/changelog 2026-02-20 17:32:00.000000000 +0100 @@ -1,3 +1,10 @@ +xfsprogs (6.13.0-2+deb13u1) trixie; urgency=medium + + * xfs_scrub_fail: reduce security lockdowns to avoid postfix problems + (Closes: #1116595) + + -- Bastian Germann <[email protected]> Fri, 20 Feb 2026 17:32:00 +0100 + xfsprogs (6.13.0-2) unstable; urgency=medium * Patch: mkfs: Correct filesize declaration diff -Nru xfsprogs-6.13.0/debian/patches/series xfsprogs-6.13.0/debian/patches/series --- xfsprogs-6.13.0/debian/patches/series 2025-02-23 15:20:24.000000000 +0100 +++ xfsprogs-6.13.0/debian/patches/series 2026-02-20 17:29:24.000000000 +0100 @@ -1 +1,2 @@ mkfs-Correct-filesize-declaration.patch +xfs_scrub_fail-reduce-security-lockdowns.patch diff -Nru xfsprogs-6.13.0/debian/patches/xfs_scrub_fail-reduce-security-lockdowns.patch xfsprogs-6.13.0/debian/patches/xfs_scrub_fail-reduce-security-lockdowns.patch --- xfsprogs-6.13.0/debian/patches/xfs_scrub_fail-reduce-security-lockdowns.patch 1970-01-01 01:00:00.000000000 +0100 +++ xfsprogs-6.13.0/debian/patches/xfs_scrub_fail-reduce-security-lockdowns.patch 2026-02-20 17:27:35.000000000 +0100 @@ -0,0 +1,101 @@ +From 15fd6fc686d5ce7640e46d44f6fa018413ce1b64 Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" <[email protected]> +Date: Mon, 13 Oct 2025 16:34:24 -0700 +Subject: [PATCH] xfs_scrub_fail: reduce security lockdowns to avoid postfix + problems + +Iustin Pop reports that the xfs_scrub_fail service fails to email +problem reports on Debian when postfix is installed. This is apparently +due to several factors: + +1. postfix's sendmail wrapper calling postdrop directly, +2. postdrop requiring the ability to write to the postdrop group, +3. lockdown preventing the xfs_scrub_fail@ service to have postdrop in + the supplemental group list or the ability to run setgid programs + +Item (3) could be solved by adding the whole service to the postdrop +group via SupplementalGroups=, but that will fail if postfix is not +installed and hence there is no postdrop group. + +It could also be solved by forcing msmtp to be installed, bind mounting +msmtp into the service container, and injecting a config file that +instructs msmtp to connect to port 25, but that in turn isn't compatible +with systems not configured to allow an smtp server to listen on ::1. + +So we'll go with the less restrictive approach that e2scrub_fail@ does, +which is to say that we just turn off all the sandboxing. :( :( + +Reported-by: [email protected] +Cc: [email protected] # v6.10.0 +Fixes: 9042fcc08eed6a ("xfs_scrub_fail: tighten up the security on the background systemd service") +Signed-off-by: Darrick J. Wong <[email protected]> +Reviewed-by: Andrey Albershteyn <[email protected]> +--- + scrub/[email protected] | 57 ++------------------------------ + 1 file changed, 3 insertions(+), 54 deletions(-) + +diff --git a/scrub/[email protected] b/scrub/[email protected] +index 16077888..1e205768 100644 +--- a/scrub/[email protected] ++++ b/scrub/[email protected] +@@ -19,57 +19,6 @@ SupplementaryGroups=systemd-journal + # can control resource usage. + Slice=system-xfs_scrub.slice + +-# No realtime scheduling +-RestrictRealtime=true +- +-# Make the entire filesystem readonly and /home inaccessible. +-ProtectSystem=full +-ProtectHome=yes +-PrivateTmp=true +-RestrictSUIDSGID=true +- +-# Emailing reports requires network access, but not the ability to change the +-# hostname. +-ProtectHostname=true +- +-# Don't let the program mess with the kernel configuration at all +-ProtectKernelLogs=true +-ProtectKernelModules=true +-ProtectKernelTunables=true +-ProtectControlGroups=true +-ProtectProc=invisible +-RestrictNamespaces=true +- +-# Can't hide /proc because journalctl needs it to find various pieces of log +-# information +-#ProcSubset=pid +- +-# Only allow the default personality Linux +-LockPersonality=true +- +-# No writable memory pages +-MemoryDenyWriteExecute=true +- +-# Don't let our mounts leak out to the host +-PrivateMounts=true +- +-# Restrict system calls to the native arch and only enough to get things going +-SystemCallArchitectures=native +-SystemCallFilter=@system-service +-SystemCallFilter=~@privileged +-SystemCallFilter=~@resources +-SystemCallFilter=~@mount +- +-# xfs_scrub needs these privileges to run, and no others +-CapabilityBoundingSet= +-NoNewPrivileges=true +- +-# Failure reporting shouldn't create world-readable files +-UMask=0077 +- +-# Clean up any IPC objects when this unit stops +-RemoveIPC=true +- +-# No access to hardware device files +-PrivateDevices=true +-ProtectClock=true ++# No further restrictions because some installations may have MTAs such as ++# postfix, which require the ability to run setgid programs and other ++# foolishness.
