[exim-dev] [Bug 3028] Running as unprivileged user gives uns…

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Exim Bugzilla
Datum:  
To: exim-dev
Betreff: [exim-dev] [Bug 3028] Running as unprivileged user gives unspecific error "permission denied"
https://bugs.exim.org/show_bug.cgi?id=3028

--- Comment #6 from Hendrik Jäger [:henk] <bugs_exim@???> ---
(In reply to Andrew Aitchison from comment #5)
> Exim has determined that you are not an admin user, so do not have the
> authority to continue. In the code (exim.c cira line 4430) the "debugging"
> version of the message comes immdiately after a comment:
>
> […]
>
> ** Since you are trying to start a daemon you need to do as an admin.
> ** Now that you understand the reason for the message (I hope)
> ** can you suggest a clearer message text ?
>
> For this sort of testing I recommend that either your test user belongs to
> your exim group, or to a group declared in your test config in the
> "admin_group" entry.


That was a very helpful hint and I now got it to run (seemingly) fine as a
user!
The config I’m using for that now is:

% cat tmp/2023-09-20_exim_config.conf
daemon_smtp_ports = 1234
spool_directory = /home/henk/tmp/exim_spool_test
# log_file_path = /home/henk/tmp/exim_log_test/exim_%slog
pid_file_path = /home/henk/tmp/exim_pid
exim_user = henk
exim_group = henk
# admin_groups = henk

14:30:07 θ64° 1z [henk:~] <system> % exim -C tmp/2023-09-20_exim_config.conf -v
-bdf -d+all
14:30:11 18477 Exim version 4.96 uid=1000 gid=1000 pid=18477 D=fff9ffff
14:30:11 18477 Support for: crypteq iconv() IPv6 GnuTLS TLS_resume
move_frozen_messages DANE DKIM DNSSEC Event I18N OCSP PIPECONNECT PRDR
Queue_Ramp SOCKS SRS TCP_Fast_Open
14:30:11 18477 Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch
cdb dbm dbmjz dbmnz dnsdb dsearch nis nis0 passwd
14:30:11 18477 Authenticators: cram_md5 external plaintext
14:30:11 18477 Routers: accept dnslookup ipliteral manualroute queryprogram
redirect
14:30:11 18477 Transports: appendfile/maildir/mailstore autoreply lmtp pipe
smtp
14:30:11 18477 Fixed never_users: 0
14:30:11 18477 Configure owner: 0:0
14:30:11 18477 Size of off_t: 8
14:30:11 18477 Compiler: GCC [12.2.0]
14:30:11 18477 Library version: Glibc: Compile: 2.36
14:30:11 18477                         Runtime: 2.36
14:30:11 18477 Library version: BDB: Compile: Berkeley DB 5.3.28: (September 
9, 2013)
14:30:11 18477                       Runtime: Berkeley DB 5.3.28: (September 
9, 2013)
14:30:11 18477 Library version: GnuTLS: Compile: 3.7.9
14:30:11 18477                          Runtime: 3.7.9
14:30:11 18477 Library version: IDN2: Compile: 2.3.3
14:30:11 18477                        Runtime: 2.3.3
14:30:11 18477 Library version: Stringprep: Compile: 1.41
14:30:11 18477                              Runtime: 1.41
14:30:11 18477 Library version: PCRE2: Compile: 10.42
14:30:11 18477                         Runtime: 10.42 2022-12-11
14:30:11 18477 Total 14 lookups
14:30:11 18477 WHITELIST_D_MACROS: "OUTGOING"
14:30:11 18477 TRUSTED_CONFIG_LIST: "/etc/exim4/trusted_configs"
14:30:11 18477 changed uid/gid: -C, -D, -be or -bf forces real uid
14:30:11 18477   uid=1000 gid=1000 pid=18477
14:30:11 18477   auxiliary group list: 4 6 7 20 24 25 29 30 44 46 50 104 108
109 114 117 119 121 122 123 136 139 140 148 150 152 162 1000 1001
14:30:11 18477 seeking password data for user "henk": cache not available
14:30:11 18477 getpwnam() succeeded uid=1000 gid=1000
14:30:11 18477 LOG: MAIN
14:30:11 18477   Warning: purging the environment.
14:30:11 18477  Suggested action: use keep_environment.
14:30:11 18477 configuration file is tmp/2023-09-20_exim_config.conf
14:30:11 18477 log selectors = 00000ffc 64205022 0000000c
14:30:11 18477 LOG: MAIN PANIC
14:30:11 18477   exim user lost privilege for using -C option
14:30:11 18477 trusted user
14:30:11 18477 admin user
14:30:11 18477 dropping to exim gid; retaining priv uid
14:30:11 18477 originator: uid=1000 gid=1000 login=henk name="Hendrik
Jaeger,,,"
14:30:11 18477 LOG: MAIN
14:30:11 18477   Warning: No server certificate defined; will use a selfsigned
one.
14:30:11 18477  Suggested action: either install a certificate or change
tls_advertise_hosts option
14:30:11 18477 fresh-exec forking for cipher-validate
14:30:11 18477 fresh-exec forked for cipher-validate: 18478
14:30:11 18478 postfork: cipher-validate
14:30:11 18478 >>>>>>>>>>>>>>>> Exim pid=18478 (cipher-validate) terminating
with rc=0 >>>>>>>>>>>>>>>>
14:30:11 18477 tls_validate_require_cipher child 18478 ended: status=0x0
14:30:11 18477 creating notifier socket
14:30:11 18477  ╭considering: $spool_directory/exim_daemon_notify
14:30:11 18477  ├considering: /exim_daemon_notify
14:30:11 18477  ├───────text: /exim_daemon_notify
14:30:11 18477  ├──expanding: $spool_directory/exim_daemon_notify
14:30:11 18477  ╰─────result: /home/henk/tmp/exim_spool_test/exim_daemon_notify
14:30:11 18477  @/home/henk/tmp/exim_spool_test/exim_daemon_notify
14:30:11 18477 listening on all interfaces (IPv6) port 1234
14:30:11 18477 listening on all interfaces (IPv4) port 1234
14:30:11 18477 pid written to /home/henk/tmp/exim_pid
14:30:11 18477 changed uid/gid: running as a daemon
14:30:11 18477   uid=1000 gid=1000 pid=18477
14:30:11 18477   auxiliary group list: 4 6 7 20 24 25 29 30 44 46 50 104 108
109 114 117 119 121 122 123 136 139 140 148 150 152 162 1000 1001
14:30:11 18477 LOG: MAIN
14:30:11 18477   exim 4.96 daemon started: pid=18477, no queue runs, listening
for SMTP on port 1234 (IPv6 and IPv4)
14:30:11 18477 set_process_info: 18477 daemon(4.96): no queue runs, listening
for SMTP on port 1234 (IPv6 and IPv4)
14:30:11 18477 GnuTLS global init required
14:30:11 18477 TLS: basic cred init, server
14:30:11 18477 TLS: generating selfsigned server cert
14:30:12 18477 GnuTLS<3>: ASSERT:
../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60
14:30:12 18477 GnuTLS<3>: ASSERT:
../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60
14:30:12 18477 GnuTLS<3>: ASSERT:
../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60
14:30:12 18477 GnuTLS<3>: ASSERT:
../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60
14:30:12 18477 GnuTLS<3>: ASSERT:
../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60
14:30:12 18477 GnuTLS<3>: ASSERT:
../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60
14:30:12 18477 GnuTLS<3>: ASSERT:
../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60
14:30:12 18477 GnuTLS<3>: ASSERT:
../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60
14:30:12 18477 GnuTLS<3>: ASSERT:
../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60
14:30:12 18477 GnuTLS<3>: ASSERT:
../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60
14:30:12 18477 GnuTLS<2>: Disabling X.509 extensions.
14:30:12 18477 GnuTLS<2>: signing structure using RSA-SHA256
14:30:12 18477 GnuTLS<3>: ASSERT:
../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60
14:30:12 18477 GnuTLS<3>: ASSERT:
../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60
14:30:12 18477 GnuTLS<3>: ASSERT:
../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60
14:30:12 18477 GnuTLS<3>: ASSERT:
../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60
14:30:12 18477 GnuTLS<3>: ASSERT:
../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60
14:30:12 18477 GnuTLS<3>: ASSERT:
../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60
14:30:12 18477 GnuTLS<3>: ASSERT:
../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60
14:30:12 18477 GnuTLS<3>: ASSERT:
../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60
14:30:12 18477 GnuTLS<3>: ASSERT:
../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60
14:30:12 18477 GnuTLS<3>: ASSERT:
../../../lib/x509/x509_ext.c[gnutls_subject_alt_names_get]:111
14:30:12 18477 GnuTLS<3>: ASSERT: ../../../lib/x509/x509.c[get_alt_name]:2012
14:30:12 18477 GnuTLS<3>: ASSERT:
../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60
14:30:12 18477 TLS: preloading CA bundle for server
14:30:12 18477 GnuTLS<3>: ASSERT:
../../../lib/x509/dn.c[_gnutls_x509_compare_raw_dn]:1039
14:30:12 18477 GnuTLS<3>: ASSERT:
../../../lib/x509/dn.c[_gnutls_x509_compare_raw_dn]:1039
14:30:12 18477 GnuTLS<3>: ASSERT:
../../../lib/x509/dn.c[_gnutls_x509_compare_raw_dn]:1039
14:30:12 18477 Added 142 certificate authorities
14:30:12 18477 TLS: not preloading CRL for server
14:30:12 18477 TLS: preloading cipher list for server: NULL
14:30:12 18477 GnuTLS using default session cipher/priority "NORMAL"
14:30:12 18477 GnuTLS<2>: added 6 protocols, 29 ciphersuites, 19 sig algos and
10 groups into priority list
14:30:12 18477 daemon running with uid=1000 gid=1000 euid=1000 egid=1000
14:30:12 18477 Listening...
^C14:30:13 18477 SIGTERM/SIGINT seen
14:30:13 18477 daemon forking for daemon-del-pidfile
14:30:13 18477 daemon forked for daemon-del-pidfile: 18486
14:30:13 18486 postfork: daemon-del-pidfile
14:30:13 18486 exec /usr/sbin/exim4 -C tmp/2023-09-20_exim_config.conf
-d=0xfff9ffff -MCd daemon-del-pidfile -oPX
exim: only uid=0 or uid=106 can use -oP and -oPX (uid=1000 euid=0 | 1000)
14:30:13 18477 search_tidyup called
14:30:13 18477 >>>>>>>>>>>>>>>> Exim pid=18477 (daemon) terminating with rc=0

>>>>>>>>>>>>>>>>



I’m not quite sure how to phrase most of my thoughts about the issues I
encountered during this whole process properly but I’ll try:
0) Running exim as a user without any config at all produces a very unspecific
"permission denied" message that is completely uninformative:
% exim -C /dev/null -v -bdf
LOG: MAIN
Warning: purging the environment.
Suggested action: use keep_environment.
exim: permission denied

it gets better when adding a config with just exim_user defined:
% cat tmp/2023-09-20_exim_config.conf
exim_user = henk

% exim -C tmp/2023-09-20_exim_config.conf -v -bdf
LOG: MAIN
Warning: purging the environment.
Suggested action: use keep_environment.
LOG: MAIN PANIC
exim user lost privilege for using -C option
LOG: MAIN
Warning: No server certificate defined; will use a selfsigned one.
Suggested action: either install a certificate or change tls_advertise_hosts
option
7615 LOG: MAIN PANIC
7615 daemon_notifier_socket bind: Address already in use
7615 LOG: MAIN
7615 socket bind() to port 25 for address (any IPv6) failed: Permission
denied: waiting 30s before trying again (9 more tries)

I’m still unclear about what actually is the issue causing the "permission
denied" error.
Trying to drop root privileges and switching to the user it is configured (by
compile-time options?) to run as?
If so, it should IMHO not even try to do this. It already knows that it was
started as an unprivileged user and that it drops its root privileges from
being setuid because of -C, so I think it should just continue as if 'exim_user
= the_current_user' was set.
Again: my understanding of this case is very limited so far so my suggestion
might be totally nonsensical.
Maybe a message like "Exim has not been started by a user who is a member in
one of the groups configured in the admin_groups setting. If you really intend
to run exim as an unprivileged user, set the exim_user configuration variable
accordingly." would be more useful to the user, if my understanding of the
issue is correct.


1) with the config above with just exim_user set, invoking exim with '-d+all'
also "works fine", i.e. not "debugging permission denied" error. So the same
problem with suggesting a solution: I don’t really understand the problem, I
think.


It actually all boiled down to having 'exim_user' set to the current user.
Having this figured out, exim started to give reasonably informative output
about any other problems it encountered that lead to the config I posted at the
top of this comment.

--
You are receiving this mail because:
You are on the CC list for the bug.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-dev-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/