On 27/04/2020 20:52, Russell King via Exim-users wrote:
> 2020-04-27 20:36:15 1jT9Y7-0003B4-Mf <= patchd@???
U=patchd P=local S=1535
> 2020-04-27 20:36:15 1jT9Y7-0003B4-Mf H=pandora.armlinux.org.uk
[xxxx:xxxx:xxxx:xxxx:214:fdff:fe10:1be6] Permission denied
> 2020-04-27 20:36:17 1jT9Y7-0003B4-Mf => user@??? R=smart_route
T=remote_smtp H=pandora.armlinux.org.uk
[xxxx:xxxx:xxxx:xxxx:214:fdff:fe10:1be6]
X=TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256 CV=yes A=fixed_cram C="250 OK
id=1jT9Y8-0004ff-Qf"
>
> My guess is that there is some file that exim can't access while
> attempting to send to pandora, but I think working out what is
> going to be very hard (I guess debug isn't allowed from non-root
> users?)
... and followed up with:
> and grepping the strace output for errors:
>
> 19841 openat(AT_FDCWD, "/var/spool/exim4//input//1jTM7j-0005A1-Na-D",
> O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE, 0640) = -1 EACCES (Permission denied)
> 19841 openat(AT_FDCWD, "/var/log/exim4/mainlog",
> O_WRONLY|O_APPEND|O_LARGEFILE|O_CLOEXEC) = -1 EACCES (Permission denied)
> 19841 openat(AT_FDCWD, "/var/log/exim4/paniclog",
> O_WRONLY|O_APPEND|O_LARGEFILE|O_CLOEXEC) = -1 EACCES (Permission denied)
>
> So we're not getting anywhere near delivery (which is where the
> permission denied error is happening).
Are you sure that the permission denied error is happening near delivery ?
The timestamps suggest that the permission denied is nearer message input
(<=) than delivery (=>).
> This is entirely obvious (at least to me with
> 25+ years experience of Linux kernel, having ported it to the ARM
> architecture back in the 1990s) because running strace _prevents_ the OS
> from honouring the setuid bit on exim.
Can you confirm that it *is* honoured in your script ?
Whilst you clearly know a lot more about the kernel than me,
my recollection is that some of these things can be tweaked,
and some distributions have made the tweaks.
Quoted from man strace on ubuntu 20.04:
SETUID INSTALLATION
If strace is installed setuid to root then the invoking user
will be able to attach to and trace processes owned by any
user. In addition setuid and setgid programs will be
executed and traced with the correct effective privileges.
Since only users trusted with full root privileges should be
allowed to do these things, it only makes sense to install
strace as setuid to root when the users who can execute it
are restricted to those users who have this trust. For
example, it makes sense to install a special version of
strace with mode 'rwsr- xr--', user root and group trace,
where members of the trace group are trusted users. If you
do use this feature, please remember to install a regular
non-setuid version of strace for ordinary users to use.
With a special strace
# ls -l /usr/bin/strace.suid
-rwsr-x--- 1 root sudo 1489088 May 3 2019 /usr/bin/strace.suid*
#
# strace exim -d |& grep /var/spool/exim4
chdir("/var/spool/exim4") = -1 EACCES (Permission denied)
stat("/var/spool/exim4", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
chdir("/var/spool/exim4") = -1 EACCES (Permission denied)
#
# strace.suid exim -d |& grep /var/spool/exim4
chdir("/var/spool/exim4") = 0
#
--
Andrew C. Aitchison Kendal, UK
andrew@???
