[email_notifications] email notifications fail when running in rootless mode #3832
Description
What happened?
When starting CrowdSec without root using systemd (See steps to reproduce) cscli notifications test email fails, it expects that the email notifications binary is owned by root despite a previous error message saying it should be owned by the CrowdSec user.
When restarting CrowdSec after changing systemd config change:
FATAL api server init: plugin broker: loading plugin: plugin at /usr/lib/crowdsec/plugins/notification-email is not owned by user 'crowdsec'
After correcting ownership and running cscli notifications test email I get this error message
Error: loading plugin: plugin at /usr/lib/crowdsec/plugins/notification-email is not owned by user 'root'
What did you expect to happen?
I expect to be able to receive a test a notification, the plugin should not be expecting the plugin binary to be owned by root when CrowdSec isn't running as root.
How can we reproduce it (as minimally and precisely as possible)?
Use this systemd drop-in file:
[Service]
User = crowdsec
Group = crowdsec
AmbientCapabilities = cap_net_bind_service cap_kill cap_net_admin cap_setuid cap_setgid cap_dac_read_search cap_dac_override
CapabilityBoundingSet = cap_net_bind_service cap_kill cap_net_admin cap_setuid cap_setgid cap_dac_read_search cap_dac_override
change ownership of /usr/lib/crowdsec/ to crowdsec
Anything else we need to know?
I haven't tested a rootless setup any more than this so there could be other broken features when running rootless. At least from what I've seen basic LAPI functionality seems to be working.
Crowdsec version
$ cscli version
version: v1.6.11-debian-pragmatic-amd64-d64ee2ae
Codename: alphaga
BuildDate: 2025-07-22_13:19:56
GoVersion: 1.24.4
Platform: linux
libre2: C++
User-Agent: crowdsec/v1.6.11-debian-pragmatic-amd64-d64ee2ae-linux
Constraint_parser: >= 1.0, <= 3.0
Constraint_scenario: >= 1.0, <= 3.0
Constraint_api: v1
Constraint_acquis: >= 1.0, < 2.0
Built-in optional components: cscli_setup, datasource_appsec, datasource_cloudwatch, datasource_docker, datasource_file, datasource_http, datasource_journalctl, datasource_k8s-audit, datasource_kafka, datasource_kinesis, datasource_loki, datasource_s3, datasource_syslog, datasource_victorialogs, datasource_wineventlogOS version
$ cat /etc/os-release
PRETTY_NAME="Ubuntu 24.04.2 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04.2 LTS (Noble Numbat)"
VERSION_CODENAME=noble
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=noble
LOGO=ubuntu-logo
$ uname -a
Linux crowdsec-lapi 6.8.0-78-generic #78-Ubuntu SMP PREEMPT_DYNAMIC Tue Aug 12 11:34:18 UTC 2025 x86_64 x86_64 x86_64 GNU/LinuxEnabled collections and parsers
N/AAcquisition config
Config show
$ cscli config show
Global:
- Configuration Folder : /etc/crowdsec
- Data Folder : /var/lib/crowdsec/data
- Hub Folder : /etc/crowdsec/hub
- Notification Folder : /etc/crowdsec/notifications
- Simulation File : /etc/crowdsec/simulation.yaml
- Log Folder : /var/log
- Log level : info
- Log Media : file
Crowdsec:
- Acquisition File :
- Parsers routines : 1
- Acquisition Folder : /etc/crowdsec/acquis.d
cscli:
- Output : human
- Hub Branch :
API Client:
- URL : https://example.com/
- Login : crowdsec-lapi
- Credentials File : /etc/crowdsec/local_api_credentials.yaml
Local API Server:
- Listen URL : 0.0.0.0:443
- Listen Socket :
- Profile File : /etc/crowdsec/profiles.yaml
- Cert File : /etc/letsencrypt/live/example.com/fullchain.pem
- Key File : /etc/letsencrypt/live/example.com/privkey.pem
- Trusted IPs:
- 127.0.0.1
- Database:
- Type : mysql
- Host : 127.0.0.1
- Port : 3306
- User : crowdsec
- DB Name : crowdsec
- Flush age : 168h0m0s
- Flush size : 5000```
</details>
### Prometheus metrics
<details>
N/A
</details>
### Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.
<details>
N/A
</details>