-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 07/15/2016 09:45 AM, Fernando Rodriguez wrote: > On 07/14/2016 09:36 PM, Jonathan Callen wrote: >> On 07/14/2016 05:19 PM, Fernando Rodriguez wrote: >>> On 07/13/2016 01:41 PM, wabe wrote: >>>> Fernando Rodriguez <[email protected]> wrote: >>> >>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>> Hash: SHA256 >>>>> >>>>> On 07/13/2016 07:10 AM, Alan McKinnon wrote: >>>>>> On 12/07/2016 03:47, jens w wrote: >>>>>>> .procmailrc >>>>>>> :0 c >>>>>>> * !^X-Loop: [email protected] >>>>>>> | formail -X "From:" | $HOME/bin/script.sh >>>>>>> >>>>>>> procmail.log >>>>>>> procmail: Executing " formail -X "From:" | $HOME/bin/script.sh >>>>>>> >>>>>>> for incoming mail, a script is executed. logfile has the same >>>>>>> entry as it is in other users. but the script do nothing. >>>>>>> >>>>>>> How executing a command as a nologin user? >>>>>>> >>>>>> >>>>>> >>>>>> You can't, not the way you are doing it. >>>>>> You want to launch a shell script for the user, but the user's >>>>>> shell is /sbin/nologin. This exits immediately without launching >>>>>> the script. >>>>>> >>>>>> Give the user a real shell. >>>>>> >>>>>> Alan >>>>>> >>>>> >>>>> I've been following this thread and thinking the same thing but >>>>> wasn't sure. >>>>> >>>>> What if you invoke the shell directly instead of the script, either: >>>>> /bin/sh -c "<path to script>" or /bin/sh -c "$(cat <script>)"? >>>>> >>>>> If procmail uses the system() call to launch the script it won't work >>>>> but if it uses fork()/exec() or similar I think that it should work. >>> >>>> I don't know how procmail is launching scripts so I don't know if >>>> that what I say now makes sense. :-) >>> >>>> I tested if another regular user (lets call him user1) can execute >>>> scripts that are owned by nologinuser. It works as long as the path >>>> and the script itself are readable and executable by user1. >>>> If the script is writing stuff into /home/nologinuser then it is >>>> also necessary that the home directory is writable by user1. >>> >>>> Of course user1 hasn't executed the script as nologinuser. I don't >>>> know if procmail is doing so. >>> >>>> -- >>>> Regards >>>> wabe >>> >>> >>> Yes, you can execute any scripts as long as you have permissions. A program >>> can use the exec() family of functions to do that. But if the program calls >>> the system() function or similar it will try to use the user shell to >>> execute >>> the command. If the shell is nologin it will refuse to do so. >>> >>> > >> That's not actually true either. The system(3) function is defined to >> create a child process using fork(2), then execute the specified command >> using execl(3) as follows: > >> execl("/bin/sh", "sh", "-c", command, (char *) 0); > >> Note that this is not dependent on the user's normal shell, the shell >> /bin/sh is *always* used. > > > You're right thanks. > And I checked procmail and it tries execvp() first and if that fails it > execv()s > /bin/sh with the command as arguments so we're probably barking at the wrong > tree.
Ah, procmail does the shell lookup. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXiPEYAAoJEPbOFX/5UlwcVdkP/3niV4rI6o1Eas+VklF3l8ai lRab+/2Y0auPofSYYwYiVeKtB+bB4YsYObgSBy9bsLUEJR5vKLaOoGJG1xEHUhXR BJh/CBOcT8/YcvewjfBwCIagBRPlFk9tniIqzmJXQ611ABGHrXokwQ08znLNylsO rEJShDWEXshQedrUah6Im0dwkiWRTieCttmYBsOQdrPFlRohtA1tdD43AmxYkjV0 2+Z2iN4y7nPJ3zgD0sIDT9AqdoMuZRGBYwHGsrQw8Z1SnWuqUD2jO34uzJVfy3O5 0YfnB/xCa9h+0kSfOSbqoAwQaJTCQp0Pp13/Ltt9yug7gwa1dHUqVkZDrA0KPcAF GouibkkpxvLSF3bgabHnox6FDgcn5bv7zOUf3gkVlb01gKO+DHqWXybD7WwS+O2w TFInvY2RaYcCnzdL5rRj3arrPC4aYle3EruRSef6RoMt3SHcOm1Fk4lt6MN8bwya 5romAct/HIVrRrCdMs11SjhkjRe/fxckOvyiGb0em24qapFSt5x3+UeARcFP/Rsz zkN5b5j2ouCQ4TJ+7wdW6ZnXBuidUZNCqgQyN8uCq8z+GTMD1X1PPmXPhJcmH5Qc mXM5YrQZOgE1IYJgnHW12YlIngWteHQYrIuoUjfYpjuG0tgBq+VrOTwIeVj2Ggbu fkPFWbp9/8/o3vo0nTmW =N2X8 -----END PGP SIGNATURE-----
