[exim] Transport configuration - initgroups

Top Page
Delete this message
Reply to this message
Author: Phillip Carroll
Date:  
To: exim-users
Subject: [exim] Transport configuration - initgroups
I hope this note will save someone else wasted time:

Scenario:

Configure an exim transport instance that requires access to a file
which is owned by a uid other than the exim user, but the exim user is a
member of the owning user's group.

In my case, I implemented DKIM signing where the private key file has
chown settings: opendkim:opendkim. The exim daemon runs by default as
user "exim" and user exim is a member of group opendkim. The dkim
private key file has 640 permissions. Therefore I expected the
transport to be able to read the signing key.

However, when signing was attempted on any message, an error was logged
"unable to open private key file for reading:
/correct/path/to/privatekeyfile".

After wasting the better part of a day, first exhaustively checking and
rechecking every aspect of permissions on the entire path, and then
reading a large portion of the exim doc front to back, the following
setting was finally discovered in Chapter 24:

initgroups

After specifying this option, et voilà enfin une résolution! Key is
read, messages signed, all is well.

In chapter 24: "Generic options for transports", the initgroups option
is introduced and described as follows:

"If this option is true and the uid for the delivery process is provided
by the transport, the initgroups() function is called when running the
transport to ensure that any additional groups associated with the uid
are set up."

I took that description to imply that UNLESS the transport specifies a
user, the option is unnecessary. This transport instance does not
specify a user. (The only transport that specifies a user is local
delivery.)

However, the description apparently means that if the transport requires
access to any file using a supplementary group membership of the default
exim user, then either the initgroups option or the group option must be
specified. If that is what it means, then instead of the presently
tortured English description, the doc should make that fact explicit in
more understandable English (prominently). In my humble opinion.

It should also be better understood by document authors that most exim
users will NOT be *nix developers. Many veteran *nix users will normally
expect (as I did) that if a process is run as user 'x' then group read
permission should be sufficient for reading a file owned by a group of
which 'x" is a member.