Re: [exim] unable to set gid=518 or uid=518 (euid=8)...

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Ian FREISLICH
Date:  
À: Tony Finch
CC: exim-users
Sujet: Re: [exim] unable to set gid=518 or uid=518 (euid=8)...
Tony Finch wrote:
> On Sat, 15 Jan 2005, Ian FREISLICH wrote:
> >
> > 2005-01-14 14:53:39 1CpQxN-0006zS-SR unable to set gid=518 or uid=518 (euid

=8): local delivery to if <if@???> transport=vmail_delivery
>
> I think you stated before that your Exim is set-uid. But do Exim and you
> agree about where Exim lives? Try running `exim -bP exim_path`.


They seem to:

[xxxx] /etc/exim # exim -bP exim_path
exim_path = /usr/bin/exim
[xxxx] /etc/exim # ls -l `exim -bP exim_path`
lrwxrwxrwx    1 root     root           11 Dec 23 14:10 /usr/bin/exim -> exim-4.43-3
[xxxx] /etc/exim # ls -l /usr/bin/exim*
lrwxrwxrwx    1 root     root           11 Dec 23 14:10 /usr/bin/exim -> exim-4.43-3
-rwsr-xr-x    1 root     root      1576220 Dec 23 11:48 /usr/bin/exim-4.43-2
-rwsr-xr-x    1 root     root      1576220 Dec 23 14:10 /usr/bin/exim-4.43-3


Here's the first little bit of the debug output from the forked
delivery process (exim run: /usr/bin/exim -d -C /etc/exim/configure.new
oX 26 -bd).

9689 forked delivery process 9712
9712 exec /usr/bin/exim -C /etc/exim/configure.new -d=0xfbbd5cfd -Mc 1CqOgw-0002WH-SO
9712 Exim version 4.43 uid=8 gid=12 pid=9712 D=fbbd5cfd
Berkeley DB: Sleepycat Software: Berkeley DB 3.1.17: (July 31, 2000)
Support for: iconv() PAM Perl OpenSSL
Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz pgsql
Authenticators: cram_md5 plaintext spa
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
9712 changed uid/gid: -C, -D, -be or -bf forces real uid
9712 uid=8 gid=12 pid=9712
9712 auxiliary group list: 12
9712 configuration file is /etc/exim/configure.new

I wonder if this is affecting me since the uid that runs the delivery
process is not root:

"The -C facility is useful for ensuring that configuration files
are syntactically correct, but cannot be used for test deliveries,
unless the caller is privileged, or unless it is an exotic configuration
that does not require privilege. No check is made on the owner or
group of the files specified by this option."

After testing that hypothesis, it seems that it is because when I
use my testing configure file as the compiled in configure file
path.

It does seem a little odd though because earlier in the explanation
of the -C facility it states:

"When this option is used by a caller other than root or the Exim
user, and the list is different from the compiled-in list, Exim
gives up its root privilege immediately, and runs with the real and
effective uid and gid set to those of the caller."

Based on what the euid/uid are, the user that starts the delivery
process is 'mail' (uid=8) and in Local/Makefile I set EXIM_USER=ref:mail
so I would have expected it to work based on the above description.
Is something else at play or is my interpretation faulty?

Thanks for reminding me to re-examine my assumptions.

Ian

--
Ian Freislich