Bug#871688: exim4-base: using su in cronjob invokes a full pam-session. use runuser instead

2017-08-24 Thread Jakob Schürz 
Am 2017-08-14 um 16:30 schrieb Marc Haber:
> On Thu, Aug 10, 2017 at 07:19:14PM +0200, Jakobus Schürz wrote:
>> You find my changes below to use runuser instead of su, which solves the
>> problems comming from the su-command.
> 
> Given that I have never heard of runuser in 20+ years of Unix
> experience, shouldn't probably the su man page mention runuser?

I've also heard about runuser first time, when i asked in the
systemd-list... It seems, it's build from the su-code-base (found a
Website on searching about this command) to avoid the problems if you
want to run a command as another UID/GID with a whole session... like my
Problem.

It's available since util-linux 2.23

:)

Greetings

Jakob








signature.asc
Description: OpenPGP digital signature

Bug#871688: exim4-base: using su in cronjob invokes a full pam-session. use runuser instead

2017-08-14 Thread Marc Haber 
On Thu, Aug 10, 2017 at 07:19:14PM +0200, Jakobus Schürz wrote:
> You find my changes below to use runuser instead of su, which solves the
> problems comming from the su-command.

Given that I have never heard of runuser in 20+ years of Unix
experience, shouldn't probably the su man page mention runuser?

Greetings
Marc

-- 
-
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany|  lose things."Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421

Bug#871688: exim4-base: using su in cronjob invokes a full pam-session. use runuser instead

2017-08-13 Thread Jakob Schürz 
Am 2017-08-13 um 13:53 schrieb Andreas Metzler:
> On 2017-08-13 Jakob Schürz  wrote:
>> Am 2017-08-11 um 14:58 schrieb Andreas Metzler:
>>> On 2017-08-10 Jakobus Schürz  wrote:
> [...]
 # if we reach this, invoking exim_tidydb from start-stop-daemon has
 # failed, most probably because of libpam-tmpdir being in use
 # (see #373786 and #376165)
> [...] 
>>> for reference:
>>> It seems something is needed that
>>> a) uses PAM (because otherwise start-stop-daemon would have been enough)
>>> b) but does not invoke pam_systemd.
>  
>>> That is true for /etc/pam.d/runuser (but not for /etc/pam.d/runuser-l,
>>> invoked by "runuser --login" or "runuser -")
> 
>> ok. But what is this "something", which needs a pam-session to run tidydb?
> 
> See the comment in the file as quoted above. exim_tidydb needs a writeable
> tmp-dir. If libpam-tmpdir is in use exim4-base.cron.daily's tmp-dir is
> only writeable by root. So we a need "run as other user"-command that
> re-uses libpam-tmpdir to setup a tmp-dir which is writeable by exim.
> 
>> I can see, "runuser --login" or "runuser -" or "runuser -l" also invokes
>> pam_systemd and starts the user-services, which i don't want.
> 
>> I changed the lines a little bit:
> 
>> find $SPOOLDIR/db -maxdepth 1 -name '*.lockfile' -or -name 'log.*' \
>>  -or -type f -printf '%f\0' | \
>>  runuser --shell=/bin/bash \
>>   --command="xargs -0r -n 1 /usr/sbin/exim_tidydb $SPOOLDIR >
>> /dev/null" \
>>   Debian-exim
> 
> So --command instead of --session-command also works. That is great,
> since --session-command is marked as "discouraged" in the runuser
> manpage. I will change this in GIT.

Sounds good! ;)

When do you think, this will reach the goal to be in a debian-package in
the repo? (Currently I'm using stable, so the update will be in testing?)

This bug can be closed then.

Thank you!!

jakob





signature.asc
Description: OpenPGP digital signature

Bug#871688: exim4-base: using su in cronjob invokes a full pam-session. use runuser instead

2017-08-13 Thread Jakob Schürz 
Am 2017-08-11 um 14:58 schrieb Andreas Metzler:
> On 2017-08-10 Jakobus Schürz  wrote:
>> Package: exim4-base
>> Version: 4.89-2+deb9u1
>> Severity: normal
> 
>> Dear Maintainer,
> 
>> I have some systemd --user services from other packages.
>> The units are located in /etc/systemd/user/ or /usr/lib/systemd/user/
>> and enabled on installing.
> 
>> When a daemon uses su or sudo on debian, it starts a service
>> user@$UID.service which is a systemd-daemon for the user-session. This
>> sessions are normally not started for Daemons with UID below 1000
>> (except Debian-gdm).
> 
>> I asked on the systemd-mailinglist, whats the problem, because sometimes
>> exim starts an user-session (and with this the user-services which are
>> thought for login-users with UID greater-equal 1000).
>> They told me, there must be the use of su or sudo in some scripts from
>> the daemon.
>> I looked around and found, that there is su used in
>> /etc/cron.daily/exim4-base 
> 
>> You find my changes below to use runuser instead of su, which solves the
>> problems coming from the su-command.
> [...]
>> if [ -x /usr/sbin/exim_tidydb ]; then
>>   cd $SPOOLDIR/db || exit 1
>>   if ! find $SPOOLDIR/db -maxdepth 1 -name '*.lockfile' -or -name 'log.*' \
>> -or -type f -printf '%f\0' | \
>>   xargs -0r -n 1 \
>>   start-stop-daemon --start --exec /usr/sbin/exim_tidydb \
>>   --chuid Debian-exim:Debian-exim -- $SPOOLDIR > /dev/null; then
>> # if we reach this, invoking exim_tidydb from start-stop-daemon has
>> # failed, most probably because of libpam-tmpdir being in use
>> # (see #373786 and #376165)
>> find $SPOOLDIR/db -maxdepth 1 -name '*.lockfile' -or -name 'log.*' \
>> -or -type f -printf '%f\0' | \
>> runuser --shell=/bin/bash \
>>  Debian-exim \
>>  --session-command="xargs -0r -n 1 /usr/sbin/exim_tidydb $SPOOLDIR > 
>> /dev/null"
>>   fi
>> fi
> 
> Hello,
> 
> for reference:
> It seems something is needed that
> a) uses PAM (because otherwise start-stop-daemon would have been enough)
> b) but does not invoke pam_systemd.
> 
> That is true for /etc/pam.d/runuser (but not for /etc/pam.d/runuser-l,
> invoked by "runuser --login" or "runuser -")

ok. But what is this "something", which needs a pam-session to run tidydb?

I can see, "runuser --login" or "runuser -" or "runuser -l" also invokes
pam_systemd and starts the user-services, which i don't want.

I changed the lines a little bit:

find $SPOOLDIR/db -maxdepth 1 -name '*.lockfile' -or -name 'log.*' \
 -or -type f -printf '%f\0' | \
 runuser --shell=/bin/bash \
  --command="xargs -0r -n 1 /usr/sbin/exim_tidydb $SPOOLDIR >
/dev/null" \
  Debian-exim

I tried this manually, and it works... The cronjob did not fail anymore,
and the db got tidied.

bye jakob

Bug#871688: exim4-base: using su in cronjob invokes a full pam-session. use runuser instead

2017-08-11 Thread Andreas Metzler 
On 2017-08-10 Jakobus Schürz  wrote:
> Package: exim4-base
> Version: 4.89-2+deb9u1
> Severity: normal

> Dear Maintainer,

> I have some systemd --user services from other packages.
> The units are located in /etc/systemd/user/ or /usr/lib/systemd/user/
> and enabled on installing.

> When a daemon uses su or sudo on debian, it starts a service
> user@$UID.service which is a systemd-daemon for the user-session. This
> sessions are normally not started for Daemons with UID below 1000
> (except Debian-gdm).

> I asked on the systemd-mailinglist, whats the problem, because sometimes
> exim starts an user-session (and with this the user-services which are
> thought for login-users with UID greater-equal 1000).
> They told me, there must be the use of su or sudo in some scripts from
> the daemon.
> I looked around and found, that there is su used in
> /etc/cron.daily/exim4-base 

> You find my changes below to use runuser instead of su, which solves the
> problems coming from the su-command.
[...]
> if [ -x /usr/sbin/exim_tidydb ]; then
>   cd $SPOOLDIR/db || exit 1
>   if ! find $SPOOLDIR/db -maxdepth 1 -name '*.lockfile' -or -name 'log.*' \
> -or -type f -printf '%f\0' | \
>   xargs -0r -n 1 \
>   start-stop-daemon --start --exec /usr/sbin/exim_tidydb \
>   --chuid Debian-exim:Debian-exim -- $SPOOLDIR > /dev/null; then
> # if we reach this, invoking exim_tidydb from start-stop-daemon has
> # failed, most probably because of libpam-tmpdir being in use
> # (see #373786 and #376165)
> find $SPOOLDIR/db -maxdepth 1 -name '*.lockfile' -or -name 'log.*' \
> -or -type f -printf '%f\0' | \
> runuser --shell=/bin/bash \
>  Debian-exim \
>  --session-command="xargs -0r -n 1 /usr/sbin/exim_tidydb $SPOOLDIR > 
> /dev/null"
>   fi
> fi

Hello,

for reference:
It seems something is needed that
a) uses PAM (because otherwise start-stop-daemon would have been enough)
b) but does not invoke pam_systemd.

That is true for /etc/pam.d/runuser (but not for /etc/pam.d/runuser-l,
invoked by "runuser --login" or "runuser -")

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

Bug#871688: exim4-base: using su in cronjob invokes a full pam-session. use runuser instead

2017-08-10 Thread Jakobus Schürz 
Package: exim4-base
Version: 4.89-2+deb9u1
Severity: normal

Dear Maintainer,

I have some systemd --user services from other packages.
The units are located in /etc/systemd/user/ or /usr/lib/systemd/user/
and enabled on installing.

When a daemon uses su or sudo on debian, it starts a service
user@$UID.service which is a systemd-daemon for the user-session. This
sessions are normally not started for Daemons with UID below 1000
(except Debian-gdm).

I asked on the systemd-mailinglist, whats the problem, because sometimes
exim starts an user-session (and with this the user-services which are
thought for login-users with UID greater-equal 1000).
They told me, there must be the use of su or sudo in some scripts from
the daemon.
I looked around and found, that there is su used in
/etc/cron.daily/exim4-base 

You find my changes below to use runuser instead of su, which solves the
problems comming from the su-command.

Best regards

Jakob


-- Package-specific info:
Exim version 4.89 #1 built 14-Jun-2017 05:03:07
Copyright (c) University of Cambridge, 1995 - 2017
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2017
Berkeley DB: Berkeley DB 5.3.28: (September  9, 2013)
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS 
move_frozen_messages Content_Scanning DKIM DNSSEC Event OCSP PRDR PROXY SOCKS 
TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz 
dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite
Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa tls
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Configuration file is /var/lib/exim4/config.autogenerated
# /etc/exim4/update-exim4.conf.conf
#
# Edit this file and /etc/mailname by hand and execute update-exim4.conf
# yourself or use 'dpkg-reconfigure exim4-config'
#
# Please note that this is _not_ a dpkg-conffile and that automatic changes
# to this file might happen. The code handling this will honor your local
# changes, so this is usually fine, but will break local schemes that mess
# around with multiple versions of the file.
#
# update-exim4.conf uses this file to determine variable values to generate
# exim configuration macros for the configuration file.
#
# Most settings found in here do have corresponding questions in the
# Debconf configuration, but not all of them.
#
# This is a Debian specific file

dc_eximconfig_configtype='smarthost'
dc_other_hostnames='aldebaran.xundeenergie.at;aldebaran;aldebaran.local;localhost'
dc_local_interfaces='127.0.0.1 ; ::1'
dc_readhost='xundeenergie.at'
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets=''
dc_smarthost='mail.xundeenergie.at::587'
CFILEMODE='644'
dc_use_split_config='true'
dc_hide_mailname='true'
dc_mailname_in_oh='true'
dc_localdelivery='dovecot_delivery'
mailname:xundeenergie.at
# /etc/default/exim4
EX4DEF_VERSION=''

# 'combined' -   one daemon running queue and listening on SMTP port
# 'no'   -   no daemon running the queue
# 'separate' -   two separate daemons
# 'ppp'  -   only run queue with /etc/ppp/ip-up.d/exim4.
# 'nodaemon' - no daemon is started at all.
# 'queueonly' - only a queue running daemon is started, no SMTP listener.
# setting this to 'no' will also disable queueruns from /etc/ppp/ip-up.d/exim4
QUEUERUNNER='combined'
# how often should we run the queue
QUEUEINTERVAL='30m'
# options common to quez-runner and listening daemon
COMMONOPTIONS=''
# more options for the daemon/process running the queue (applies to the one
# started in /etc/ppp/ip-up.d/exim4, too.
QUEUERUNNEROPTIONS=''
# special flags given to exim directly after the -q. See exim(8)
QFLAGS=''
# Options for the SMTP listener daemon. By default, it is listening on
# port 25 only. To listen on more ports, it is recommended to use
# -oX 25:587:10025 -oP /run/exim4/exim.pid
SMTPLISTENEROPTIONS=''

-- System Information:
Debian Release: 9.1
  APT prefers stable
  APT policy: (990, 'stable'), (700, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.12.0-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages exim4-base depends on:
ii  adduser3.115
ii  debconf [debconf-2.0]  1.5.61
ii  exim4-config [exim4-config-2]  4.89-2+deb9u1
ii  libc6  2.24-11+deb9u1
ii  libdb5.3   5.3.28-12+b1
ii  lsb-base   9.20161125
ii  netbase5.4
ii  systemd-cron [cron-daemon] 1.5.8-1

Versions of packages exim4-base recommends:
ii  mailutils [mailx]  1:3.1.1-1
ii  psmisc 22.21-2.1+b2

Versions of packages exim4-base