Score:1

Fail2ban socket permissions reset on reboot

cn flag

I have some specific group/permissions set for my fail2ban.sock file to make Zabbix able to monitor Fail2ban as described here https://github.com/hermanekt/zabbix-fail2ban-discovery-

I added the following lines to systemd service configuration to make sure the permissions will be correct after service restart:

[Service]
ExecStartPost=/bin/sh -c "while ! [ -S /run/fail2ban/fail2ban.sock ]; do sleep 1; done"
ExecStartPost=/bin/chgrp fail2ban /run/fail2ban/fail2ban.sock
ExecStartPost=/bin/chmod g+w /run/fail2ban/fail2ban.sock

It works perfectly when I'm trying to restart the service manually using systemctl restart fail2ban. But for some reason, it does not work after the reboot. I tried adding some debug lines to ExecStartPost with dummy echo and they are there, so ExecStartPost actions are being executed. But looks like something else re-writes permission on boot. Any ideas on how to troubleshoot?

Score:1
il flag

This looks possibly like a "timing" problem - maybe the first of your ExecStartPost timed out or multiple ExecStartPost entries don't evaluated serially and running in parallel (due to specified Type of unit or some other setting), or something similar...

You can try to rewrite it in single line or in some script and use single ExecStartPost parameter, or...

Why just don't set default acl for /run/fail2ban directory (e. g. in ExecStartPre), so the socket gets created with correct permissions initially? See https://unix.stackexchange.com/a/1315/452987

So try something like this:

ExecStartPre=-/bin/mkdir -p /run/fail2ban && /bin/setfacl -d -m g:fail2ban:rw /run/fail2ban

Another variant would be simply to set another path to fail2ban socket to some persistent directory (e. g. /opt/fail2ban instead of /run/fail2ban) either with -s parameter in systemd unit or with parameter socket within /etc/fail2ban/fail2ban.local. And set the permissions persistently.

ihorc avatar
cn flag
Don't know what was the problem but I resolved it with the same commands moved to a separate script: `ExecStartPost=/usr/bin/bash -c "/lib/systemd/system/fail2ban-fix-socket-permissions.sh"`
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.