Bug#871688: exim4-base: using su in cronjob invokes a full pam-session. use runuser instead
Am 2017-08-14 um 16:30 schrieb Marc Haber: > On Thu, Aug 10, 2017 at 07:19:14PM +0200, Jakobus Schürz wrote: >> You find my changes below to use runuser instead of su, which solves the >> problems comming from the su-command. > > Given that I have never heard of runuser in 20+ years of Unix > experience, shouldn't probably the su man page mention runuser? I've also heard about runuser first time, when i asked in the systemd-list... It seems, it's build from the su-code-base (found a Website on searching about this command) to avoid the problems if you want to run a command as another UID/GID with a whole session... like my Problem. It's available since util-linux 2.23 :) Greetings Jakob signature.asc Description: OpenPGP digital signature
Bug#871688: exim4-base: using su in cronjob invokes a full pam-session. use runuser instead
On Thu, Aug 10, 2017 at 07:19:14PM +0200, Jakobus Schürz wrote: > You find my changes below to use runuser instead of su, which solves the > problems comming from the su-command. Given that I have never heard of runuser in 20+ years of Unix experience, shouldn't probably the su man page mention runuser? Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
Bug#871688: exim4-base: using su in cronjob invokes a full pam-session. use runuser instead
Am 2017-08-13 um 13:53 schrieb Andreas Metzler: > On 2017-08-13 Jakob Schürzwrote: >> Am 2017-08-11 um 14:58 schrieb Andreas Metzler: >>> On 2017-08-10 Jakobus Schürz wrote: > [...] # if we reach this, invoking exim_tidydb from start-stop-daemon has # failed, most probably because of libpam-tmpdir being in use # (see #373786 and #376165) > [...] >>> for reference: >>> It seems something is needed that >>> a) uses PAM (because otherwise start-stop-daemon would have been enough) >>> b) but does not invoke pam_systemd. > >>> That is true for /etc/pam.d/runuser (but not for /etc/pam.d/runuser-l, >>> invoked by "runuser --login" or "runuser -") > >> ok. But what is this "something", which needs a pam-session to run tidydb? > > See the comment in the file as quoted above. exim_tidydb needs a writeable > tmp-dir. If libpam-tmpdir is in use exim4-base.cron.daily's tmp-dir is > only writeable by root. So we a need "run as other user"-command that > re-uses libpam-tmpdir to setup a tmp-dir which is writeable by exim. > >> I can see, "runuser --login" or "runuser -" or "runuser -l" also invokes >> pam_systemd and starts the user-services, which i don't want. > >> I changed the lines a little bit: > >> find $SPOOLDIR/db -maxdepth 1 -name '*.lockfile' -or -name 'log.*' \ >> -or -type f -printf '%f\0' | \ >> runuser --shell=/bin/bash \ >> --command="xargs -0r -n 1 /usr/sbin/exim_tidydb $SPOOLDIR > >> /dev/null" \ >> Debian-exim > > So --command instead of --session-command also works. That is great, > since --session-command is marked as "discouraged" in the runuser > manpage. I will change this in GIT. Sounds good! ;) When do you think, this will reach the goal to be in a debian-package in the repo? (Currently I'm using stable, so the update will be in testing?) This bug can be closed then. Thank you!! jakob signature.asc Description: OpenPGP digital signature
Bug#871688: exim4-base: using su in cronjob invokes a full pam-session. use runuser instead
Am 2017-08-11 um 14:58 schrieb Andreas Metzler: > On 2017-08-10 Jakobus Schürzwrote: >> Package: exim4-base >> Version: 4.89-2+deb9u1 >> Severity: normal > >> Dear Maintainer, > >> I have some systemd --user services from other packages. >> The units are located in /etc/systemd/user/ or /usr/lib/systemd/user/ >> and enabled on installing. > >> When a daemon uses su or sudo on debian, it starts a service >> user@$UID.service which is a systemd-daemon for the user-session. This >> sessions are normally not started for Daemons with UID below 1000 >> (except Debian-gdm). > >> I asked on the systemd-mailinglist, whats the problem, because sometimes >> exim starts an user-session (and with this the user-services which are >> thought for login-users with UID greater-equal 1000). >> They told me, there must be the use of su or sudo in some scripts from >> the daemon. >> I looked around and found, that there is su used in >> /etc/cron.daily/exim4-base > >> You find my changes below to use runuser instead of su, which solves the >> problems coming from the su-command. > [...] >> if [ -x /usr/sbin/exim_tidydb ]; then >> cd $SPOOLDIR/db || exit 1 >> if ! find $SPOOLDIR/db -maxdepth 1 -name '*.lockfile' -or -name 'log.*' \ >> -or -type f -printf '%f\0' | \ >> xargs -0r -n 1 \ >> start-stop-daemon --start --exec /usr/sbin/exim_tidydb \ >> --chuid Debian-exim:Debian-exim -- $SPOOLDIR > /dev/null; then >> # if we reach this, invoking exim_tidydb from start-stop-daemon has >> # failed, most probably because of libpam-tmpdir being in use >> # (see #373786 and #376165) >> find $SPOOLDIR/db -maxdepth 1 -name '*.lockfile' -or -name 'log.*' \ >> -or -type f -printf '%f\0' | \ >> runuser --shell=/bin/bash \ >> Debian-exim \ >> --session-command="xargs -0r -n 1 /usr/sbin/exim_tidydb $SPOOLDIR > >> /dev/null" >> fi >> fi > > Hello, > > for reference: > It seems something is needed that > a) uses PAM (because otherwise start-stop-daemon would have been enough) > b) but does not invoke pam_systemd. > > That is true for /etc/pam.d/runuser (but not for /etc/pam.d/runuser-l, > invoked by "runuser --login" or "runuser -") ok. But what is this "something", which needs a pam-session to run tidydb? I can see, "runuser --login" or "runuser -" or "runuser -l" also invokes pam_systemd and starts the user-services, which i don't want. I changed the lines a little bit: find $SPOOLDIR/db -maxdepth 1 -name '*.lockfile' -or -name 'log.*' \ -or -type f -printf '%f\0' | \ runuser --shell=/bin/bash \ --command="xargs -0r -n 1 /usr/sbin/exim_tidydb $SPOOLDIR > /dev/null" \ Debian-exim I tried this manually, and it works... The cronjob did not fail anymore, and the db got tidied. bye jakob
Bug#871688: exim4-base: using su in cronjob invokes a full pam-session. use runuser instead
On 2017-08-10 Jakobus Schürzwrote: > Package: exim4-base > Version: 4.89-2+deb9u1 > Severity: normal > Dear Maintainer, > I have some systemd --user services from other packages. > The units are located in /etc/systemd/user/ or /usr/lib/systemd/user/ > and enabled on installing. > When a daemon uses su or sudo on debian, it starts a service > user@$UID.service which is a systemd-daemon for the user-session. This > sessions are normally not started for Daemons with UID below 1000 > (except Debian-gdm). > I asked on the systemd-mailinglist, whats the problem, because sometimes > exim starts an user-session (and with this the user-services which are > thought for login-users with UID greater-equal 1000). > They told me, there must be the use of su or sudo in some scripts from > the daemon. > I looked around and found, that there is su used in > /etc/cron.daily/exim4-base > You find my changes below to use runuser instead of su, which solves the > problems coming from the su-command. [...] > if [ -x /usr/sbin/exim_tidydb ]; then > cd $SPOOLDIR/db || exit 1 > if ! find $SPOOLDIR/db -maxdepth 1 -name '*.lockfile' -or -name 'log.*' \ > -or -type f -printf '%f\0' | \ > xargs -0r -n 1 \ > start-stop-daemon --start --exec /usr/sbin/exim_tidydb \ > --chuid Debian-exim:Debian-exim -- $SPOOLDIR > /dev/null; then > # if we reach this, invoking exim_tidydb from start-stop-daemon has > # failed, most probably because of libpam-tmpdir being in use > # (see #373786 and #376165) > find $SPOOLDIR/db -maxdepth 1 -name '*.lockfile' -or -name 'log.*' \ > -or -type f -printf '%f\0' | \ > runuser --shell=/bin/bash \ > Debian-exim \ > --session-command="xargs -0r -n 1 /usr/sbin/exim_tidydb $SPOOLDIR > > /dev/null" > fi > fi Hello, for reference: It seems something is needed that a) uses PAM (because otherwise start-stop-daemon would have been enough) b) but does not invoke pam_systemd. That is true for /etc/pam.d/runuser (but not for /etc/pam.d/runuser-l, invoked by "runuser --login" or "runuser -") cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
Bug#871688: exim4-base: using su in cronjob invokes a full pam-session. use runuser instead
Package: exim4-base Version: 4.89-2+deb9u1 Severity: normal Dear Maintainer, I have some systemd --user services from other packages. The units are located in /etc/systemd/user/ or /usr/lib/systemd/user/ and enabled on installing. When a daemon uses su or sudo on debian, it starts a service user@$UID.service which is a systemd-daemon for the user-session. This sessions are normally not started for Daemons with UID below 1000 (except Debian-gdm). I asked on the systemd-mailinglist, whats the problem, because sometimes exim starts an user-session (and with this the user-services which are thought for login-users with UID greater-equal 1000). They told me, there must be the use of su or sudo in some scripts from the daemon. I looked around and found, that there is su used in /etc/cron.daily/exim4-base You find my changes below to use runuser instead of su, which solves the problems comming from the su-command. Best regards Jakob -- Package-specific info: Exim version 4.89 #1 built 14-Jun-2017 05:03:07 Copyright (c) University of Cambridge, 1995 - 2017 (c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2017 Berkeley DB: Berkeley DB 5.3.28: (September 9, 2013) Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS move_frozen_messages Content_Scanning DKIM DNSSEC Event OCSP PRDR PROXY SOCKS TCP_Fast_Open Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa tls Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp Fixed never_users: 0 Configure owner: 0:0 Size of off_t: 8 Configuration file is /var/lib/exim4/config.autogenerated # /etc/exim4/update-exim4.conf.conf # # Edit this file and /etc/mailname by hand and execute update-exim4.conf # yourself or use 'dpkg-reconfigure exim4-config' # # Please note that this is _not_ a dpkg-conffile and that automatic changes # to this file might happen. The code handling this will honor your local # changes, so this is usually fine, but will break local schemes that mess # around with multiple versions of the file. # # update-exim4.conf uses this file to determine variable values to generate # exim configuration macros for the configuration file. # # Most settings found in here do have corresponding questions in the # Debconf configuration, but not all of them. # # This is a Debian specific file dc_eximconfig_configtype='smarthost' dc_other_hostnames='aldebaran.xundeenergie.at;aldebaran;aldebaran.local;localhost' dc_local_interfaces='127.0.0.1 ; ::1' dc_readhost='xundeenergie.at' dc_relay_domains='' dc_minimaldns='false' dc_relay_nets='' dc_smarthost='mail.xundeenergie.at::587' CFILEMODE='644' dc_use_split_config='true' dc_hide_mailname='true' dc_mailname_in_oh='true' dc_localdelivery='dovecot_delivery' mailname:xundeenergie.at # /etc/default/exim4 EX4DEF_VERSION='' # 'combined' - one daemon running queue and listening on SMTP port # 'no' - no daemon running the queue # 'separate' - two separate daemons # 'ppp' - only run queue with /etc/ppp/ip-up.d/exim4. # 'nodaemon' - no daemon is started at all. # 'queueonly' - only a queue running daemon is started, no SMTP listener. # setting this to 'no' will also disable queueruns from /etc/ppp/ip-up.d/exim4 QUEUERUNNER='combined' # how often should we run the queue QUEUEINTERVAL='30m' # options common to quez-runner and listening daemon COMMONOPTIONS='' # more options for the daemon/process running the queue (applies to the one # started in /etc/ppp/ip-up.d/exim4, too. QUEUERUNNEROPTIONS='' # special flags given to exim directly after the -q. See exim(8) QFLAGS='' # Options for the SMTP listener daemon. By default, it is listening on # port 25 only. To listen on more ports, it is recommended to use # -oX 25:587:10025 -oP /run/exim4/exim.pid SMTPLISTENEROPTIONS='' -- System Information: Debian Release: 9.1 APT prefers stable APT policy: (990, 'stable'), (700, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.12.0-trunk-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages exim4-base depends on: ii adduser3.115 ii debconf [debconf-2.0] 1.5.61 ii exim4-config [exim4-config-2] 4.89-2+deb9u1 ii libc6 2.24-11+deb9u1 ii libdb5.3 5.3.28-12+b1 ii lsb-base 9.20161125 ii netbase5.4 ii systemd-cron [cron-daemon] 1.5.8-1 Versions of packages exim4-base recommends: ii mailutils [mailx] 1:3.1.1-1 ii psmisc 22.21-2.1+b2 Versions of packages exim4-base