[exim-dev] Re: [Bug 3028] New: Running as unprivileged user …

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Andrew C Aitchison
Ημερομηνία:  
Προς: Exim Bugzilla
Υ/ο: exim-dev
Αντικείμενο: [exim-dev] Re: [Bug 3028] New: Running as unprivileged user gives unspecific error "permission denied"
On Thu, 21 Sep 2023, Exim Bugzilla via Exim-dev wrote:

> Trying to gather information for bug 3027, I tried running exim as a listening
> service as an unprivileged user.
> That didn’t work and I just got a very unspecific error "permission denied":


> Enabling debugging did not add any useful information:
> % exim -C /dev/null -v -oX 1234 -bdf -d+all

         ...        ...

> exim: debugging permission denied


That last line is a specific policy warning.
The code that generates it directly follows the comment:
/* Only an admin user may start the daemon or force a queue run in
the default configuration, but the queue run restriction can be
relaxed. Only an admin user may request that a message be returned
to its sender forthwith. Only an admin user may specify a debug
level greater than D_v (because it might show passwords, etc. in
lookup queries). Only an admin user may request a queue count. Only
an admin user can use the test interface to scan for email (because
Exim will be in the spool dir and able to look at mails). */

So -d+all is definitely not allowed.

Who/what is an admin_user ? An earlier comment says:
/* If an action on specific messages is requested, or if a daemon or
queue runner is being started, we need to know if Exim was called by
an admin user. This is the case if the real user is root or exim,
or if the real group is exim, or if one of the supplementary groups
is exim or a group listed in admin_groups. We don't fail all message
actions immediately if not admin_user, since some actions can be
performed by non-admin users. Instead, set admin_user for later
interrogation. */


> My expectation is to be able to do that.
> Even more so the expectation is that I get a meaningful error
> message why it is not possible to do that so that I have a chance to
> figure out what’s wrong and fix it.


What is wrong is that you don't have debugging permission.
Now that you understand the reason for the message (I hope)
can you suggest a clearer message text ?

-------

For what it is worth, when I run
   exim -C /dev/null -v -oX 1234 -bdf -d+all
as a user with exim_group group permission, I get:
      ...       ...
16:36:02 401938 admin user
16:36:02 401938 dropping to exim gid; retaining priv uid
16:36:02 401938 changing group to 127 failed: Operation not permitted

Hmm. Even though I am a member of group 127, setgid(127) is failing.
Maybe I should follow that up ...

-- 
Andrew C. Aitchison                      Kendal, UK
                    andrew@???


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-dev-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/