[SOLVED] Hardening v3.00 breaks sending completion emails

Ask for help and report issues not specific to either the Mac OS X or GTK+ versions of Transmission
Post Reply
Darsh
Posts: 2
Joined: Sun Oct 10, 2021 4:11 pm

[SOLVED] Hardening v3.00 breaks sending completion emails

Post by Darsh »

Debian 11, transmission-daemon 3.00-1.

Transmission v3.00 was hardened to disallow privilege escalation:
=== https://github.com/transmission/transmi ... s/tag/3.00 ===
Daemon
- Harden transmission-daemon.service by disallowing privileges elevation (#795)
=== https://github.com/transmission/transmission/pull/795 ===
jelly commented on Dec 28, 2018
Systemd 227 introduced the option to make a service disallow elevating privileges.
===

Unfortunately, this also blocks Exim from escalating to root, when being called by Transmission from a script hook - thus breaking the script sending the completion emails.

I had a post-download script ("script-torrent-done") that sends me an email when the torrent's download is complete. To send an email, Exim requites to setuid root, to later change to the Exim's group ID in order to write into the spool directory which is owned by Exim's uid and gid. When started from Transmission uid, and with privilege escalations blocked, Exim fails to write to the spool directory. As a result, sending the emails fails with "Failed to create spool file". I've described the troubleshooting in detail on the Debian support forum.

Could you please re-allow privilege escalation by Transmission, or at least make it a configurable option?


Thanks,
Darsh
Last edited by Darsh on Thu Oct 14, 2021 9:20 pm, edited 1 time in total.
Darsh
Posts: 2
Joined: Sun Oct 10, 2021 4:11 pm

Re: Hardening v3.00 breaks sending completion emails

Post by Darsh »

Thanks to sandrotosi and ckerr at Transmission's GitHub - the issue is in systemd's setting "NoNewPrivileges=true" in /lib/systemd/system/transmission-daemom.service. After changing it to "false" and reloading the daemon the e-mails started working again.


Darsh
Post Reply