[Exim] require_files permission problem

Página superior
Eliminar este mensaje
Responder a este mensaje
Autor: Tamas TEVESZ
Fecha:  
A: exim-users
Asunto: [Exim] require_files permission problem
hi,

this is exim v3.36 on a debian woody box. i've installed ecartis (a
mailing list manager), also from a deb package that comes with the
distribution.

ecartis is very similar to mailman in the way it stores its lists and
the lists' configuration files, namely for a list named `foo' it
creates a /var/lib/ecartis/lists/foo directory, and several files and
dirs below (one sure point being `foo/config', where the list settings
reside).

i've adapted nigel's well-known mailman configuration to this setup
(it was surprisingly easy), but encountered one problem.

the ecartis deb package adds an ecartis user and an ecartis group to
the system, and the ecartis program itself is supposed to run under
this user's rights. also, the debian package creates the
/var/lib/ecartis/lists directory as ecartis:ecartis:0750.

here comes my problem. adapted from the mailman stuff, a transport for
posting to the list looks as:

list_request_director:
driver = smartuser
suffix = -request
require_files = ECARTIS_UID,ECARTIS_GID:ECARTIS_HOME/lists/${lc:$local_part}/config
transport = list_request_transport

the macros look as:

ECARTIS_HOME = /var/lib/ecartis
ECARTIS_UID = ecartis
ECARTIS_GID = ecartis

now, as far as i can understand, the notation

require_files = ECARTIS_UID,ECARTIS_GID:/...

should make exim to check the existence of the particular file running
as uid=ECARTIS_UID, gid=ECARTIS_GID. this user obviously has access to
/var/lib/ecartis/lists/<somelist>/config.

however, exim apparently does not change privileges. debug output from
`exim -d11 -oX 2525 -bd':


SMTP<< rcpt to:<sfc-l@domain>
domain in local_domains? yes (matched domain)
sfc-l@domain in receiver_verify_addresses? yes (*)
host in receiver_verify_hosts? yes (*)
>>>>>>>>>>>>>>>>>>>>>>>>

Verifying sfc-l@domain
domain in local_domains? yes (matched domain)
domain in percent_hack_domains? no (end of list)
address sfc-l@domain
local_part=sfc-l domain=domain
domain is local
>>>>>>>>>>>>>>>>>>>>>>>>

directing sfc-l@domain
list_request_director director skipped: suffix mismatch
list_repost_director director skipped: suffix mismatch
list_admin_director director skipped: suffix mismatch
list_moderator_director director skipped: suffix mismatch
list_bounce_director director skipped: suffix mismatch
calling list_director director
require_files = ecartis,ecartis:/var/lib/ecartis/lists/sfc-l/config
require files uid=8 gid=8 euid=8 egid=8
test existence of /var/lib/ecartis/lists/sfc-l/config
required present, EACCES => unknown
Permission denied
restored uid=8 gid=8 euid=8 egid=8
list_director director deferred sfc-l
message: file existence defer in list_director director: Permission denied
SMTP>> 451 Cannot check <sfc-l@domain> at this time - please try later


# stat /var/lib/ecartis/lists
  File: "/var/lib/ecartis/lists"
  Size: 33              Blocks: 0          IO Block: 4096   Directory
Device: 302h/770d       Inode: 29437615    Links: 4
Access: (0750/drwxr-x---)  Uid: (  103/ ecartis)   Gid: (  103/ ecartis)
Access: Wed Feb 12 16:33:13 2003
Modify: Tue Feb 11 21:58:54 2003
Change: Wed Feb 12 16:48:46 2003


however:

# su - ecartis
$ id
uid=103(ecartis) gid=103(ecartis) groups=103(ecartis)
$ ls -ld /var/lib/ecartis/lists/sfc-l/config
-rw-rw-r--    1 ecartis  ecartis     33075 Feb 12 02:38
    /var/lib/ecartis/lists/sfc-l/config


of course the problem can be worked around by giving `other' execute
access to /var/lib/ecartis/lists, but i'm still curious as to why
exim behaves like that. of course my /usr/sbin/exim is setuid root.

standing confused.

thanks for any help,

--
[-]
... and the rest is silence.