Re: [exim] Problem with exim-4.74 + mailman
Could you check that the 2 versions of exim are linked against the same libraries. I know there have been some build changes for Solaris. Wondering if the getpw* function are from a different library, one which does not accept a number in place of a username. Nigel. -- [ Nigel Metheringham nigel.methering...@intechnology.com ] [ - Comments in this message are my own and not ITO opinion/policy - ] -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Problem with exim-4.74 + mailman
On Thu, 10 Feb 2011 08:34:08 + Nigel Metheringham wrote: Could you check that the 2 versions of exim are linked against the same libraries. There are differences. I know there have been some build changes for Solaris. Wondering if the getpw* function are from a different library, one which does not accept a number in place of a username. I've changes the setting from numeric uid to name mailman with no chnage. --Frank Elsner -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Problem with exim-4.74 + mailman
citing Frank's first mail: 2011-02-09 11:28:25 1Pn7Hd-00077B-Dv unable to set gid=104 or uid=104 (euid=103): local delivery to list l...@lists.tu-berlin.de The local delivery *should* start as euid=0, since should be setuid root. As far as I understood deliver.c, exim fork()s, exec()s and then changes the UID. But there are some cases where this uid change does not take place, .e.g if deliver_drop_privileges is set. Probably Frank can put some logging into deliver.c, or at least ask for logging the PID, it should show us the PID transition… -- Heiko :: dresden : linux : SCHLITTERMANN.de GPG Key 48D0359B : 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B signature.asc Description: Digital signature -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Problem with exim-4.74 + mailman
Heiko Schlittermann wrote: citing Frank's first mail: 2011-02-09 11:28:25 1Pn7Hd-00077B-Dv unable to set gid=104 or uid=104 (euid=103): local delivery to listl...@lists.tu-berlin.de The local delivery *should* start as euid=0, since should be setuid root. It MAY. It doesn't always have to be so (at least thru 4.6X). Mine are neither. As far as I understood deliver.c, exim fork()s, exec()s and then changes the UID. But there are some cases where this uid change does not take place, .e.g if deliver_drop_privileges is set. .. or when and where the exim binary is NOT setuid root, delivery was not invoked by root, and the particular delivery transport doesn't need either because it calls for delivery under an EGID of which the exim daemon runner is a *member*... Or .. just maybe applicable here .. as above, but the running UID/EUID is NOT a member of the egid the tranport calls for to make this delivery (gid 104)? The Devil is in such details... Bill Probably Frank can put some logging into deliver.c, or at least ask for logging the PID, it should show us the PID transition… -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Problem with exim-4.74 + mailman
Hallo all, after upgrade from exim-4.69 to exim-4.74 I ran into problems with the mailman and my configuration. Exim is UID=103. 2011-02-09 11:28:25 1Pn7Hd-00077B-Dv unable to set gid=104 or uid=104 (euid=103): local delivery to list l...@lists.tu-berlin.de transport=mailman_transport 2011-02-09 11:29:03 1Pn7IF-00077Z-AC unable to set gid=1 or uid=103 (euid=103): remote delivery to recipi...@example.com with transport=smtp What's going on? From the configuration: | MAILMAN_USER= 104 | MAILMAN_GROUP = 104 | .. | .. | mailman: |driver = accept | |condition = ${if !eq {$acl_m_pmx}{1}} |domains = MAILMAN_DOMAIN : mali.tubit.tu-berlin.de |require_files = MAILMAN_LISTCHK |local_part_suffix_optional |local_part_suffix = -admin : -bounces : -bounces+* : \ |-confirm : -confirm+* : -join : \ |-leave : -owner : -request : \ |-subscribe : -unsubscribe |transport = mailman_transport | .. | .. | mailman_transport: | driver = pipe | command = MAILMAN_WRAPPER \ |'${if def:local_part_suffix \ | {${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} \ | {post}}' \ |$local_part | current_directory = MAILMAN_HOME | home_directory = MAILMAN_HOME | user = MAILMAN_USER | group = MAILMAN_GROUP | log_fail_output | .. | .. | smtp_verp: |driver = smtp |max_rcpt = 1 |# Put recipient address into return_path |return_path = \ | ${local_part:$return_path}+$local_part=$domain@${domain:$return_path} |# Errors-To: may carry old return_path |headers_remove = Errors-To |headers_add = Errors-To: ${return_path} |no_delay_after_cutoff |hosts_avoid_tls = mail.tu-berlin.de |helo_data = lists.tu-berlin.de Local/Makefile contains EXIM_USER=ref:exim How to solve this problem? Kind regards, Frank Elsner -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Problem with exim-4.74 + mailman
Frank Elsner frank.els...@tu-berlin.de (Wed Feb 9 12:35:56 2011): Hallo all, after upgrade from exim-4.69 to exim-4.74 I ran into problems with the mailman and my configuration. Exim is UID=103. 2011-02-09 11:28:25 1Pn7Hd-00077B-Dv unable to set gid=104 or uid=104 (euid=103): local delivery to list l...@lists.tu-berlin.de transport=mailman_transport 2011-02-09 11:29:03 1Pn7IF-00077Z-AC unable to set gid=1 or uid=103 (euid=103): remote delivery to recipi...@example.com with transport=smtp May be a stupid question, but your exim binary is suid root? -- Heiko signature.asc Description: Digital signature -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Problem with exim-4.74 + mailman
On 2011-02-09 at 12:35 +0100, Frank Elsner wrote: after upgrade from exim-4.69 to exim-4.74 I ran into problems with the mailman and my configuration. Exim is UID=103. 2011-02-09 11:28:25 1Pn7Hd-00077B-Dv unable to set gid=104 or uid=104 (euid=103): local delivery to list l...@lists.tu-berlin.de transport=mailman_transport 2011-02-09 11:29:03 1Pn7IF-00077Z-AC unable to set gid=1 or uid=103 (euid=103): remote delivery to recipi...@example.com with transport=smtp What's going on? You didn't read README.UPDATING or the announcement for 4.73? To avoid privilege escalation from the exim run-time user to root (arbitrary code execution of the exim run-time user's choosing), some setups that used to work no longer do so by default. In particular, if you're using -C on the command-line, you need to build Exim with TRUSTED_CONFIG_LIST defined; that points to a file which contains a list of trusted configs, one per line. If you're using -D on the command-line then you need to build Exim with WHITELIST_D_MACROS containing the names of any macros you need to preserve (and the values of the macros are filtered). See README.UPDATING for more. -Phil -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Problem with exim-4.74 + mailman
On Wed, 9 Feb 2011 07:00:34 -0500 Phil Pennock wrote: [ ... ] You didn't read README.UPDATING or the announcement for 4.73? Yes, maybe I misunderstand it :-( [ ... ] See README.UPDATING for more. | * The Exim run-time user can no longer be root; this was always |strongly discouraged, but is now prohibited both at build and |run-time. If you need Exim to run routinely as root, you'll need to |patch the source and accept the risk. Here be dragons. I have EXIM_USER=ref:exim in Local/Makefile. User exim is uid 103 in /etc/passwd. But the binary is -rwsr-xr-x 1 root root 864428 Feb 9 11:27 exim-4.74 Setuid to bind to port 25, I guess? Or should I remove it? --Frank Elsner -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Problem with exim-4.74 + mailman
Frank Elsner frank.els...@tu-berlin.de (Wed Feb 9 13:15:20 2011): On Wed, 9 Feb 2011 07:00:34 -0500 Phil Pennock wrote: [ ... ] You didn't read README.UPDATING or the announcement for 4.73? Yes, maybe I misunderstand it :-( [ ... ] See README.UPDATING for more. | * The Exim run-time user can no longer be root; this was always |strongly discouraged, but is now prohibited both at build and |run-time. If you need Exim to run routinely as root, you'll need to |patch the source and accept the risk. Here be dragons. I have EXIM_USER=ref:exim in Local/Makefile. User exim is uid 103 in /etc/passwd. But the binary is -rwsr-xr-x 1 root root 864428 Feb 9 11:27 exim-4.74 Setuid to bind to port 25, I guess? Or should I remove it? If started by root, it doesn't matter. Exim should change it's euid after binding to the port. How is your exim started? Using some -C oder -D option? As far as I understand, the suid bit is used to change the euid/egid to whatever for local transports. The config file is not owned by your exim user? If you add the pid logselector, you should see, that a new process is forked for delivery. I did a short test (using 4.74) MM_USER = 12 MM_GROUP = 12 router mm: driver = accept domains = +vmail_domains local_parts = xxx transport = pipi transport pipi: driver = pipe command = /bin/sh -c /bin/cat /tmp/xxx current_directory = /tmp home_directory = /tmp log_fail_output user = MM_USER group = MM_GROUP And it worked. The file created is owned by uid/gid 12. -- Heiko signature.asc Description: Digital signature -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Problem with exim-4.74 + mailman
On Wed, 9 Feb 2011 13:59:34 +0100 Heiko Schlittermann wrote: Frank Elsner frank.els...@tu-berlin.de (Wed Feb 9 13:15:20 2011): On Wed, 9 Feb 2011 07:00:34 -0500 Phil Pennock wrote: [ ... ] You didn't read README.UPDATING or the announcement for 4.73? Yes, maybe I misunderstand it :-( [ ... ] See README.UPDATING for more. | * The Exim run-time user can no longer be root; this was always |strongly discouraged, but is now prohibited both at build and |run-time. If you need Exim to run routinely as root, you'll need to |patch the source and accept the risk. Here be dragons. I have EXIM_USER=ref:exim in Local/Makefile. User exim is uid 103 in /etc/passwd. But the binary is -rwsr-xr-x 1 root root 864428 Feb 9 11:27 exim-4.74 Setuid to bind to port 25, I guess? Or should I remove it? If started by root, it doesn't matter. Exim should change it's euid after binding to the port. How is your exim started? Using some -C oder -D option? None of both. As far as I understand, the suid bit is used to change the euid/egid to whatever for local transports. The config file is not owned by your exim user? It's -rw-r--r-- 1 root root 12106 Feb 2 11:34 exim4.conf If you add the pid logselector, you should see, that a new process is forked for delivery. I'll give it a try. --Frank Elsner -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Problem with exim-4.74 + mailman
On Wed, 9 Feb 2011 13:59:34 +0100 Heiko Schlittermann wrote: Frank Elsner frank.els...@tu-berlin.de (Wed Feb 9 13:15:20 2011): On Wed, 9 Feb 2011 07:00:34 -0500 Phil Pennock wrote: [ ... ] You didn't read README.UPDATING or the announcement for 4.73? Yes, maybe I misunderstand it :-( [ ... ] See README.UPDATING for more. | * The Exim run-time user can no longer be root; this was always |strongly discouraged, but is now prohibited both at build and |run-time. If you need Exim to run routinely as root, you'll need to |patch the source and accept the risk. Here be dragons. I have EXIM_USER=ref:exim in Local/Makefile. User exim is uid 103 in /etc/passwd. But the binary is -rwsr-xr-x 1 root root 864428 Feb 9 11:27 exim-4.74 Setuid to bind to port 25, I guess? Or should I remove it? If started by root, it doesn't matter. Exim should change it's euid after binding to the port. How is your exim started? Using some -C oder -D option? As far as I understand, the suid bit is used to change the euid/egid to whatever for local transports. The config file is not owned by your exim user? If you add the pid logselector, you should see, that a new process is forked for delivery. I did a short test (using 4.74) [ ... ] I've found a difference between 4.69 and 4.74: Exim version 4.69 uid=0 gid=0 pid=23817 D=fbb95cfd .. seeking password data for user exim: using cached result getpwnam() succeeded uid=103 gid=1 seeking password data for user mailman: cache not available getpwnam() succeeded uid=126319 gid=104 Exim version 4.74 uid=0 gid=0 pid=23866 D=fbb95cfd .. admin user seeking password data for user exim: cache not available getpwnam() succeeded uid=103 gid=1 seeking password data for user exim: using cached result getpwnam() succeeded uid=103 gid=1 seeking password data for user 104: cache not available seeking password data for user 104: cache not available seeking password data for user exim: using cached result getpwnam() succeeded uid=103 gid=1 The /etc/passwd entries are exim:x:103:1::/home/exim:/bin/sh mailman:x:126319:104:The MailMan:/opt/mailman:/bin/false Should I change the config file from MAILMAN_USER= 104 to MAILMAN_USER= 126319 ??? --Frank Elsner -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Problem with exim-4.74 + mailman
Frank Elsner frank.els...@tu-berlin.de (Wed Feb 9 12:35:56 2011): Hallo all, after upgrade from exim-4.69 to exim-4.74 I ran into problems with the mailman and my configuration. Exim is UID=103. 2011-02-09 11:28:25 1Pn7Hd-00077B-Dv unable to set gid=104 or uid=104 (euid=103): local delivery to list l...@lists.tu-berlin.de transport=mailman_transport 2011-02-09 11:29:03 1Pn7IF-00077Z-AC unable to set gid=1 or uid=103 (euid=103): remote delivery to recipi...@example.com with transport=smtp I'm just asking myself, why exim want's to set the uid/gid for the SMTP transport… Where does the gid=1 come from? Is this the group daemon and the primary group or one of the supplementary of the exim user? -- Heiko signature.asc Description: Digital signature -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Problem with exim-4.74 + mailman
On Wed, 9 Feb 2011 16:30:48 +0100 Heiko Schlittermann wrote: Frank Elsner frank.els...@tu-berlin.de (Wed Feb 9 12:35:56 2011): Hallo all, after upgrade from exim-4.69 to exim-4.74 I ran into problems with the mailman and my configuration. Exim is UID=103. 2011-02-09 11:28:25 1Pn7Hd-00077B-Dv unable to set gid=104 or uid=104 (euid=103): local delivery to list l...@lists.tu-berlin.de transport=mailman_transport 2011-02-09 11:29:03 1Pn7IF-00077Z-AC unable to set gid=1 or uid=103 (euid=103): remote delivery to recipi...@example.com with transport=smtp I'm just asking myself, why exim want's to set the uid/gid for the SMTP transport… Where does the gid=1 come from? Is this the group daemon and the primary group or one of the supplementary of the exim user? On the Solaris 10 system where I have the problem: # grep :1: /etc/group other::1:root --Frank Elsner -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Problem with exim-4.74 + mailman
Frank Elsner frank.els...@tu-berlin.de (Wed Feb 9 16:52:48 2011): On Wed, 9 Feb 2011 16:30:48 +0100 Heiko Schlittermann wrote: Frank Elsner frank.els...@tu-berlin.de (Wed Feb 9 12:35:56 2011): Hallo all, after upgrade from exim-4.69 to exim-4.74 I ran into problems with the mailman and my configuration. Exim is UID=103. 2011-02-09 11:28:25 1Pn7Hd-00077B-Dv unable to set gid=104 or uid=104 (euid=103): local delivery to list l...@lists.tu-berlin.de transport=mailman_transport 2011-02-09 11:29:03 1Pn7IF-00077Z-AC unable to set gid=1 or uid=103 (euid=103): remote delivery to recipi...@example.com with transport=smtp I'm just asking myself, why exim want's to set the uid/gid for the SMTP transport… Where does the gid=1 come from? Is this the group daemon and the primary group or one of the supplementary of the exim user? On the Solaris 10 system where I have the problem: # grep :1: /etc/group other::1:root In the above two lines - the 2nd message is the generated bounce to the 1st message? -- Heiko signature.asc Description: Digital signature -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Problem with exim-4.74 + mailman
Frank Elsner frank.els...@tu-berlin.de (Wed Feb 9 16:06:35 2011): … I've found a difference between 4.69 and 4.74: Exim version 4.69 uid=0 gid=0 pid=23817 D=fbb95cfd .. seeking password data for user exim: using cached result getpwnam() succeeded uid=103 gid=1 seeking password data for user mailman: cache not available getpwnam() succeeded uid=126319 gid=104 Exim version 4.74 uid=0 gid=0 pid=23866 D=fbb95cfd .. admin user seeking password data for user exim: cache not available getpwnam() succeeded uid=103 gid=1 seeking password data for user exim: using cached result getpwnam() succeeded uid=103 gid=1 seeking password data for user 104: cache not available seeking password data for user 104: cache not available … is the following again related to sending the bounce message? seeking password data for user exim: using cached result getpwnam() succeeded uid=103 gid=1 The /etc/passwd entries are exim:x:103:1::/home/exim:/bin/sh mailman:x:126319:104:The MailMan:/opt/mailman:/bin/false Should I change the config file from MAILMAN_USER= 104 to MAILMAN_USER= 126319 ??? Hm, it least there is some discrepancy between the configuration, stating that the MAILMAN_USER is 104 and the passwd, stating the 126319. But this should not prevent exim from changing its UID to 104 for the delivery. -- Heiko signature.asc Description: Digital signature -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Problem with exim-4.74 + mailman
On Wed, 9 Feb 2011 17:04:34 +0100 Heiko Schlittermann wrote: Frank Elsner frank.els...@tu-berlin.de (Wed Feb 9 16:52:48 2011): On Wed, 9 Feb 2011 16:30:48 +0100 Heiko Schlittermann wrote: Frank Elsner frank.els...@tu-berlin.de (Wed Feb 9 12:35:56 2011): Hallo all, after upgrade from exim-4.69 to exim-4.74 I ran into problems with the mailman and my configuration. Exim is UID=103. 2011-02-09 11:28:25 1Pn7Hd-00077B-Dv unable to set gid=104 or uid=104 (euid=103): local delivery to list l...@lists.tu-berlin.de transport=mailman_transport 2011-02-09 11:29:03 1Pn7IF-00077Z-AC unable to set gid=1 or uid=103 (euid=103): remote delivery to recipi...@example.com with transport=smtp I'm just asking myself, why exim want's to set the uid/gid for the SMTP transport… Where does the gid=1 come from? Is this the group daemon and the primary group or one of the supplementary of the exim user? On the Solaris 10 system where I have the problem: # grep :1: /etc/group other::1:root In the above two lines - the 2nd message is the generated bounce to the 1st message? No, it's a different message. --Frank Elsner -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/