Re: [exim] Spurious permission denied error

Top Page
Delete this message
Reply to this message
Author: Andrew C Aitchison
Date:  
To: Russell King
CC: exim-users
Subject: Re: [exim] Spurious permission denied error

On 27/04/2020 20:52, Russell King via Exim-users wrote:
> 2020-04-27 20:36:15 1jT9Y7-0003B4-Mf <= patchd@???

U=patchd P=local S=1535
> 2020-04-27 20:36:15 1jT9Y7-0003B4-Mf H=pandora.armlinux.org.uk

[xxxx:xxxx:xxxx:xxxx:214:fdff:fe10:1be6] Permission denied
> 2020-04-27 20:36:17 1jT9Y7-0003B4-Mf => user@??? R=smart_route

T=remote_smtp H=pandora.armlinux.org.uk
[xxxx:xxxx:xxxx:xxxx:214:fdff:fe10:1be6]
X=TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256 CV=yes A=fixed_cram C="250 OK
id=1jT9Y8-0004ff-Qf"
>
> My guess is that there is some file that exim can't access while
> attempting to send to pandora, but I think working out what is
> going to be very hard (I guess debug isn't allowed from non-root
> users?)


... and followed up with:
> and grepping the strace output for errors:
>
> 19841 openat(AT_FDCWD, "/var/spool/exim4//input//1jTM7j-0005A1-Na-D",
> O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE, 0640) = -1 EACCES (Permission denied)
> 19841 openat(AT_FDCWD, "/var/log/exim4/mainlog",
> O_WRONLY|O_APPEND|O_LARGEFILE|O_CLOEXEC) = -1 EACCES (Permission denied)
> 19841 openat(AT_FDCWD, "/var/log/exim4/paniclog",
> O_WRONLY|O_APPEND|O_LARGEFILE|O_CLOEXEC) = -1 EACCES (Permission denied)
>
> So we're not getting anywhere near delivery (which is where the
> permission denied error is happening).


Are you sure that the permission denied error is happening near delivery ?
The timestamps suggest that the permission denied is nearer message input
(<=) than delivery (=>).

> This is entirely obvious (at least to me with
> 25+ years experience of Linux kernel, having ported it to the ARM
> architecture back in the 1990s) because running strace _prevents_ the OS
> from honouring the setuid bit on exim.


Can you confirm that it *is* honoured in your script ?

Whilst you clearly know a lot more about the kernel than me,
my recollection is that some of these things can be tweaked,
and some distributions have made the tweaks.

Quoted from man strace on ubuntu 20.04:

SETUID INSTALLATION
     If strace is installed setuid to root then the invoking user
     will be able to attach to and trace processes owned by any
     user.  In addition setuid and setgid programs will be
     executed and traced with the correct effective privileges.
     Since only users trusted with full root privileges should be
     allowed to do these things, it only makes sense to install
     strace as setuid to root when the users who can execute it
     are restricted to those users who have this trust.  For
     example, it makes sense to install a special version of
     strace with mode 'rwsr- xr--', user root and group trace,
     where members of the trace group are trusted users.  If you
     do use this feature, please remember to install a regular
     non-setuid version of strace for ordinary users to use.


With a special strace
# ls -l /usr/bin/strace.suid
-rwsr-x--- 1 root sudo 1489088 May  3  2019 /usr/bin/strace.suid*
#
# strace exim -d |& grep /var/spool/exim4
chdir("/var/spool/exim4")               = -1 EACCES (Permission denied)
stat("/var/spool/exim4", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
chdir("/var/spool/exim4")               = -1 EACCES (Permission denied)
#
# strace.suid exim -d |& grep /var/spool/exim4
chdir("/var/spool/exim4")               = 0
#


-- 
Andrew C. Aitchison                    Kendal, UK
             andrew@???