Re: [exim] How to access pgsql client cert when running suid…

Góra strony
Delete this message
Reply to this message
Autor: Axel Rau
Data:  
Dla: Jeremy Harris
CC: Exim-users
Temat: Re: [exim] How to access pgsql client cert when running suid ?


> Am 24.05.2022 um 00:37 schrieb Jeremy Harris via Exim-users <exim-users@???>:
>
> On 23/05/2022 20:38, Axel Rau via Exim-users wrote:
>> After turning on setuid bit on exim binary, it could no longer access
>> the DB (error=‚valid client cert required‘)
>
> setuid to what (I assume root, but...)?

-rwsr-xr-x 1 root wheel 1280960 Apr 9 12:15 /usr/local/sbin/exim

> Access during what phase of operation?

1st hit happens with alias routers:
- - -
2022-05-24T15:06:53.393720+00:00 mx4 exim[44885] 1ntW77-000Bfx-3J <= root@??? H=ping.lrau.net [2a02:c207:3005:2350:144:91:89:26] P=smtp S=442 for axel.rau@???
2022-05-24T15:06:53.425991+00:00 mx4 exim[46232] 1ntW77-000Bfx-3J == axel.rau@??? R=postgresql_sys_aliases defer (-1) DT=0s: Temporary internal error
- - -
# System aliases and aliases with more than one target are handled by exim via ERDB

postgresql_sys_aliases:
  driver = redirect
  allow_fail
  allow_defer
  data = ${lookup pgsql {SELECT aliasTargetAddresses FROM mailbox \
            WHERE type = 'S' AND localPart ='${quote_pgsql:${lc:$local_part}}'}}


postgresql_aliases:
  driver = redirect
  allow_fail
  allow_defer
  data = ${lookup pgsql {SELECT M.aliastargetaddresses \
                         FROM mailbox M \
                         JOIN localdomain D on (M.localdomainfk=D.id) \
                         WHERE M.localPart ='${quote_pgsql:${lc:$local_part}}' AND \
                             D.name='${quote_pgsql:${lc:$domain}}'}}


- - -
But more DB usage (including INSERTs and UPDATEs) are in the acls.

PostgreSQL log shows that exim issues 3 connections, where only number 2 fails:
- - -
2022-05-24 15:06:53.374 GMT,,,63253,"2a05:bec0:26:2::72:25527",628cf48d.f715,1,"",2022-05-24 15:06:53 GMT,,0,LOG,00000,"connection received: host=2a05:bec0:26:2::72 port=25527",,,,,,,,,"","not initialized"
2022-05-24 15:06:53.387 GMT,"erdb_op","operations",63253,"2a05:bec0:26:2::72:25527",628cf48d.f715,2,"authentication",2022-05-24 15:06:53 GMT,23/54087,0,LOG,00000,"connection authorized: user=erdb_op database=operations SSL enabled (protocol=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384, bits=256, compression=off)",,,,,,,,,"","client backend"
2022-05-24 15:06:53.394 GMT,"erdb_op","operations",63253,"2a05:bec0:26:2::72:25527",628cf48d.f715,3,"idle",2022-05-24 15:06:53 GMT,,0,LOG,00000,"disconnection: session time: 0:00:00.020 user=erdb_op database=operations host=2a05:bec0:26:2::72 port=25527",,,,,,,,,"","client backend"
2022-05-24 15:06:53.410 GMT,,,63254,"2a05:bec0:26:2::72:22314",628cf48d.f716,1,"",2022-05-24 15:06:53 GMT,,0,LOG,00000,"connection received: host=2a05:bec0:26:2::72 port=22314",,,,,,,,,"","not initialized"
2022-05-24 15:06:53.423 GMT,"erdb_op","operations",63254,"2a05:bec0:26:2::72:22314",628cf48d.f716,2,"authentication",2022-05-24 15:06:53 GMT,23/54090,0,FATAL,28000,"connection requires a valid client certificate",,,,,,,,,"","client backend"
2022-05-24 15:06:53.425 GMT,,,63284,"2a05:bec0:26:2::72:49593",628cf48d.f734,1,"",2022-05-24 15:06:53 GMT,,0,LOG,00000,"connection received: host=2a05:bec0:26:2::72 port=49593",,,,,,,,,"","not initialized"
2022-05-24 15:06:53.426 GMT,"erdb_op","operations",63284,"2a05:bec0:26:2::72:49593",628cf48d.f734,2,"authentication",2022-05-24 15:06:53 GMT,23/54091,0,FATAL,28000,"no pg_hba.conf entry for host ""2a05:bec0:26:2::72"", user ""erdb_op"", database ""operations"", SSL off",,,,,,,,,"","client backend"
2022-05-24 15:06:53.712 GMT,,,63423,"2a05:bec0:26:5::77:12574",628cf48d.f7bf,1,"",2022-05-24 15:06:53 GMT,,0,LOG,00000,"connection received: host=2a05:bec0:26:5::77 port=12574",,,,,,,,,"","not initialized"
- - -

Another case is with the outgoing relay, which logs:
- - -
[1\4] 1ntDMI-000LG4-6m failed to expand event_action msg:delivery in remote_smtp: lookup of "SELECT * FROM record_Delivery( 'Lechner-Rau.de','axel.rau', 'lechner-rau.de', 'axel.rau', '2a05:bec0:26:5::72', 'mx5.lrau.net', '1ntDMI-000LG4-6m', '250- 1880 byte chunk, total 1880\\n250 OK id=1ntDMI-000LM5-70')" gave DEFER: PGSQL connection failed: FATAL: connection requires a valid client certificate
- - -
Which is triggered by this part of the config:
- - -
# -------------------------------------------------------------------
# log delivery in DB
# -------------------------------------------------------------------

  event_action = ${if eq {msg:delivery}{$event_name} \
    {${lookup pgsql {SELECT * FROM record_Delivery( \
    '${quote_pgsql:$sender_address_domain}',\
    '${quote_pgsql:${lc:$sender_address_local_part}}', \
    '${quote_pgsql:$domain}', \
    '${quote_pgsql:${lc:$local_part}}', \
    '${quote_pgsql:$host_address}', \
    '${quote_pgsql:${lc:$host}}', \
    '${quote_pgsql:$message_exim_id}', \
    '${quote_pgsql:$event_data}')}} \
} {}}
. . .
By the way db address is an alias:
root@mx4:/var/log # host db.lrau.net
db.lrau.net is an alias for dbo5.lrau.net.
dbo5.lrau.net has address 91.216.35.27
dbo5.lrau.net has IPv6 address 2a05:bec0:26:5::77



Axel
---
PGP-Key: CDE74120 ☀ computing @ chaos claudius