Re: [exim] Working around “exim: ?=permission =?utf-8?Q?de…

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M 
MJeremy Harris at ->
Delete this message
Reply to this message
Author: Michael Steigman
Date:  
To: exim-users
Old-Topics: Re: [exim] Working around “exim: permission denied”
New-Topics: Re: [exim] Working around “exim: permission denied”
Subject: Re: [exim] Working around “exim: ?=permission =?utf-8?Q?denied”
Thanks for the response. You got me on the right track. As the name of project I linked to suggests, this is a simple relay - there is no need for local delivery and the daemon listens on 8025 rather than 25 so the Dockerfile removes the setuid bit.

For giggles, I looked into reenabling setuid and it appears that it’s not possible without some administrative tinkering (which I don’t have privileges to do).

I checked out Chapter 56, section 3 of the docs and don’t see any advice about running without setuid to either root or exim. That said, if this setup works running under the exim user:group is there any place you could suggest I check when running this as another user, given the fact this is a relay? Is there a way to enable more debugging info (exim is started with -bdf)? I tried strace but I don’t see anything obvious in that dump.

Here’s where I’m at right now with the same error:

RUN apk --no-cache add exim tini && \
mkdir /var/spool/exim && \
chgrp -R 0 /var/spool/exim && \
chmod -R g=u /var/spool/exim && \
ln -sf /dev/stdout /var/log/exim/mainlog && \
ln -sf /dev/stderr /var/log/exim/panic && \
ln -sf /dev/stderr /var/log/exim/reject && \
chgrp -R 0 /var/log/exim && \
chmod 0755 /usr/sbin/exim

Thanks!

Michael
On Jan 26, 2022, 12:41 PM -0500, Jeremy Harris via Exim-users <exim-users@???>, wrote:
> On 25/01/2022 21:05, Michael Steigman via Exim-users wrote:
> > With OpenShift, however, all containers are run by a user with an arbitrary ID. That ID is linked to the project you are running the image in. It’s usually something like 1001360000. OpenShift adds the user to the image and makes it a member of the group root before starting up a container with the image.
>
> I'm not a containers user myself, but Exim generally runs with the
> assumption it needs to become anybody - for two reasons: opening
> priv ports (25 is usually a restricted one) and delivery
> into user's mailboxes. Therefore, suid root.
>
> There's some notes in the docs on running in alternate modes,
> (but I've never tried).
>
> --
> Cheers,
> Jeremy
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] check_rcpt to prevent sending Email to a list of usersRe: [exim] [Transport error]: message has lines too long for transport->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)