Radicale icon indicating copy to clipboard operation
Radicale copied to clipboard

Published 20 hours ago verified publisher icon Kozea

git post-commit hook: send email

Open marsianer opened this issue 2 years ago • 3 comments
trafficstars

I want to use a post-commit hook that sends me a mail locally when a git commit is made. Unfortunately, the mail delivery fails. sendmail: fatal: inet_addr_local[getifaddrs]: getifaddrs: Address family not supported by protocol

When I run the script manually with my own user it works. What permission in the systemd service file do I need to set for this to work?

message=$(git log -1)
mail -s "Radicale Commit" root <<< $message

marsianer avatar Sep 03 '23 04:09 marsianer

this message usually appears if mail client e.g. want to use IPv6 but not supported. Have you tried executing this command as same user as radicale is running? Is SELinux active, if so check audit.log.

pbiering avatar Sep 04 '23 05:09 pbiering

Is it possible that the unit file from systemd is causing this error?

[Unit]
Description=radicale - A simple CalDAV (calendar) and CardDAV (contact) server
After=syslog.target network.target
Requires=network.target

[Service]
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
ExecStart=/usr/bin/radicale
Group=radicale
IPAccounting=true
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
PrivateUsers=yes
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectSystem=strict
RemoveIPC=true
Restart=on-failure
RestrictAddressFamilies=~AF_PACKET AF_NETLINK AF_UNIX
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
StateDirectory=radicale
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service
SystemCallFilter=~@resources
UMask=0027
User=radicale

[Install]
WantedBy=multi-user.target

marsianer avatar Sep 04 '23 07:09 marsianer

This particular unit file is very restrictive and therefore potentially too secure...the original message leads to a missing " AF_INET" in the "RestrictAddressFamilies" option, but potentially not the only one which restrict access.

The one bundled with RPM for Enterprise Linux is more minimalistic, so you have potentially iterate until it's working on your side:

Restart=on-failure
Type=exec
User=radicale
Group=radicale
UMask=0027
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
NoNewPrivileges=true
CapabilityBoundingSet=

pbiering avatar Sep 04 '23 19:09 pbiering