Bug 905673

P.S.: The $FETCHMAIL_USER in my example does not work, although it should.
P.P.S.: Should this be re-integrated, do not forget to supply a fitting /etc/sysconfig/fetchmail again.

I have done some further investigation but am yet to get a working solution this may help someone on there way though. systemd doesn't support changing user from the environment so the process must be launched as root and then use a script or su to change users.

I was working on the following however I have not been able to get it working 

[Unit]
Description=A remote-mail retrieval utility
After=network.target

[Service]
EnvironmentFile=-/etc/sysconfig/fetchmail
# User doesn't support environment variables
# User=fetchmail
Type=forking
# PID file so systemd can track
PIDFile=/run/fetchmail.pid
ExecStart=/usr/bin/su $FETCHMAIL_USER -c "/usr/bin/fetchmail --daemon --pidfile=/run/fetchmail.pid -d $FETCHMAIL_POLLING_INTERVAL $FETCHMAIL_EXPERT_OPTIONS -f $FETCHMAIL_RC_PATH"


[Install]
WantedBy=multi-user.target

If you do not care about setting the user from the /etc/sysconfig file I did have the following working in my case but it may need further testing.

[Unit]
Description=A remote-mail retrieval utility
After=network.target

[Service]
EnvironmentFile=-/etc/sysconfig/fetchmail
# User doesn't support environment variables
User=fetchmail

ExecStart=/usr/bin/fetchmail -d $FETCHMAIL_POLLING_INTERVAL $FETCHMAIL_EXPERT_OPTIONS -f $FETCHMAIL_RC_PATH


[Install]
WantedBy=multi-user.target

(In reply to Uwe Meyer-Gruhl from comment #0)
> While one can change that by editing
> /usr/lib/systemd/system/fetchmail.service, this is error-prone as that file
> would most probably get replaced by a future update of the package.

You are supposed to copy that file to /etc/systemd/system/fetchmail.service and make the changes there.

> I think this is due to quick-and-dirty transformation of the service. At
> least some of the relevant options could be kept configurable [...]

All except for changing the user, which is complicated and I will rather remove it in favor of changing the systemd service file.

This is an autogenerated message for OBS integration:
This bug (905673) was mentioned in
https://build.opensuse.org/request/show/386268 Factory / fetchmail

(In reply to Přemysl Janouch from comment #4)
> (In reply to Uwe Meyer-Gruhl from comment #0)
> 
> > I think this is due to quick-and-dirty transformation of the service. At
> > least some of the relevant options could be kept configurable [...]
> 
> All except for changing the user, which is complicated and I will rather
> remove it in favor of changing the systemd service file.

But that is the key point, because it is security-relevant. If there was a bug in fetchmail that could be triggered by ill-formed mail or header contents, one would not like to have a privilege escalation to root. Fetchmail itself even barks:

"fetchmail: WARNING: Running as root is discouraged."

when started as root in daemon mode. The ability to configure the user was there in case there were any problems with an MDA in non-root mode in the first place.

IMHO, without the ability to configure a nonprivileged user, the section to add a "fetchmail" daemon user in the fetchmail.spec file is pointless, too.

(In reply to Uwe Meyer-Gruhl from comment #6)
> [...]

The default (that cannot be changed with sysconfig now) is _not_ running as root.

(In reply to Přemysl Janouch from comment #7)
> (In reply to Uwe Meyer-Gruhl from comment #6)
> > [...]
> 
> The default (that cannot be changed with sysconfig now) is _not_ running as
> root.

Oh, I see. It is User=fetchmail by default in the fetchmail.service file (it's been a while since I looked into it). So all we lose is the flexibility - that is O.K.

This is an autogenerated message for OBS integration:
This bug (905673) was mentioned in
https://build.opensuse.org/request/show/386298 Factory / fetchmail

Submitted for 13.2, Leap, SLE12, closing.

This is an autogenerated message for OBS integration:
This bug (905673) was mentioned in
https://build.opensuse.org/request/show/390830 13.2 / fetchmail
https://build.opensuse.org/request/show/390831 42.1 / fetchmail

(In reply to Přemysl Janouch from comment #4)
> (In reply to Uwe Meyer-Gruhl from comment #0)
> > While one can change that by editing
> > /usr/lib/systemd/system/fetchmail.service, this is error-prone as that file
> > would most probably get replaced by a future update of the package.
> 
> You are supposed to copy that file to /etc/systemd/system/fetchmail.service
> and make the changes there.

For completeness - or create /etc/systemd/system/fetchmail.service.d/ and place your overrides/changes in a file there.

openSUSE-RU-2016:1184-1: An update that has two recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 905673,959682
CVE References: 
Sources used:
openSUSE 13.2 (src):    fetchmail-6.3.26-6.3.1

openSUSE-RU-2016:1185-1: An update that has one recommended fix can now be installed.

Category: recommended (moderate)
Bug References: 905673
CVE References: 
Sources used:
openSUSE Leap 42.1 (src):    fetchmail-6.3.26-14.1

*** Bug 979346 has been marked as a duplicate of this bug. ***

SUSE-RU-2016:1284-1: An update that has two recommended fixes can now be installed.

Category: recommended (low)
Bug References: 905673,959682
CVE References: 
Sources used:
SUSE Linux Enterprise Server 12-SP1 (src):    fetchmail-6.3.26-9.1
SUSE Linux Enterprise Server 12 (src):    fetchmail-6.3.26-9.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    fetchmail-6.3.26-9.1
SUSE Linux Enterprise Desktop 12 (src):    fetchmail-6.3.26-9.1

*** Bug 932163 has been marked as a duplicate of this bug. ***