crowdsec icon indicating copy to clipboard operation
crowdsec copied to clipboard
verified publisher icon crowdsecurity

[email_notifications] email notifications fail when running in rootless mode

Open GNU-Plus-Windows-User opened this issue 5 months ago • 2 comments

What happened?

When starting CrowdSec without root using systemd (See steps to reproduce) cscli notifications test email fails, it expects that the email notifications binary is owned by root despite a previous error message saying it should be owned by the CrowdSec user.

When restarting CrowdSec after changing systemd config change:

FATAL api server init: plugin broker: loading plugin: plugin at /usr/lib/crowdsec/plugins/notification-email is not owned by user 'crowdsec'

After correcting ownership and running cscli notifications test email I get this error message

Error: loading plugin: plugin at /usr/lib/crowdsec/plugins/notification-email is not owned by user 'root'

What did you expect to happen?

I expect to be able to receive a test a notification, the plugin should not be expecting the plugin binary to be owned by root when CrowdSec isn't running as root.

How can we reproduce it (as minimally and precisely as possible)?

Use this systemd drop-in file:

[Service]
User    = crowdsec
Group   = crowdsec

AmbientCapabilities   = cap_net_bind_service cap_kill cap_net_admin cap_setuid cap_setgid cap_dac_read_search cap_dac_override
CapabilityBoundingSet = cap_net_bind_service cap_kill cap_net_admin cap_setuid cap_setgid cap_dac_read_search cap_dac_override

change ownership of /usr/lib/crowdsec/ to crowdsec

Anything else we need to know?

I haven't tested a rootless setup any more than this so there could be other broken features when running rootless. At least from what I've seen basic LAPI functionality seems to be working.

Crowdsec version

$ cscli version
version: v1.6.11-debian-pragmatic-amd64-d64ee2ae
Codename: alphaga
BuildDate: 2025-07-22_13:19:56
GoVersion: 1.24.4
Platform: linux
libre2: C++
User-Agent: crowdsec/v1.6.11-debian-pragmatic-amd64-d64ee2ae-linux
Constraint_parser: >= 1.0, <= 3.0
Constraint_scenario: >= 1.0, <= 3.0
Constraint_api: v1
Constraint_acquis: >= 1.0, < 2.0
Built-in optional components: cscli_setup, datasource_appsec, datasource_cloudwatch, datasource_docker, datasource_file, datasource_http, datasource_journalctl, datasource_k8s-audit, datasource_kafka, datasource_kinesis, datasource_loki, datasource_s3, datasource_syslog, datasource_victorialogs, datasource_wineventlog

OS version

$ cat /etc/os-release
PRETTY_NAME="Ubuntu 24.04.2 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04.2 LTS (Noble Numbat)"
VERSION_CODENAME=noble
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=noble
LOGO=ubuntu-logo

$ uname -a
Linux crowdsec-lapi 6.8.0-78-generic #78-Ubuntu SMP PREEMPT_DYNAMIC Tue Aug 12 11:34:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Enabled collections and parsers

N/A

Acquisition config

N/A

Config show

$ cscli config show
Global:
   - Configuration Folder   : /etc/crowdsec
   - Data Folder            : /var/lib/crowdsec/data
   - Hub Folder             : /etc/crowdsec/hub
   - Notification Folder    : /etc/crowdsec/notifications
   - Simulation File        : /etc/crowdsec/simulation.yaml
   - Log Folder             : /var/log
   - Log level              : info
   - Log Media              : file
Crowdsec:
  - Acquisition File        :
  - Parsers routines        : 1
  - Acquisition Folder      : /etc/crowdsec/acquis.d
cscli:
  - Output                  : human
  - Hub Branch              :
API Client:
  - URL                     : https://example.com/
  - Login                   : crowdsec-lapi
  - Credentials File        : /etc/crowdsec/local_api_credentials.yaml
Local API Server:
  - Listen URL              : 0.0.0.0:443
  - Listen Socket           :
  - Profile File            : /etc/crowdsec/profiles.yaml
  - Cert File : /etc/letsencrypt/live/example.com/fullchain.pem
  - Key File  : /etc/letsencrypt/live/example.com/privkey.pem

  - Trusted IPs:
      - 127.0.0.1
  - Database:
      - Type                : mysql
      - Host                : 127.0.0.1
      - Port                : 3306
      - User                : crowdsec
      - DB Name             : crowdsec
      - Flush age           : 168h0m0s
      - Flush size          : 5000```

</details>


### Prometheus metrics

<details>

N/A

</details>


### Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

<details>
N/A
</details>

GNU-Plus-Windows-User avatar Aug 28 '25 14:08 GNU-Plus-Windows-User

@GNU-Plus-Windows-User: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

  1. Check Crowdsec Documentation to see if your issue can be self resolved.
  2. You can also join our Discord.
  3. Check Releases to make sure your agent is on the latest version.
Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

github-actions[bot] avatar Aug 28 '25 14:08 github-actions[bot]

Yes currently there is a hardcoded check that the binary uid / gid are 0.

We want to move this to check for the current process running uid / gid of the CrowdSec process rather than root, the only issue is that the default installs as root so we would need to offer a short documentation of the gotchas.

LaurenceJJones avatar Aug 29 '25 09:08 LaurenceJJones