Bug#318039: marked as done (Needs to run as root with X)

Debian Bug Tracking System owner@bugs.debian.org
Thu, 14 Jul 2005 02:18:21 -0700 

Your message dated Thu, 14 Jul 2005 12:00:49 +0300
with message-id <20050714090049.GB5123@localhost.localdomain>
and subject line Bug#318039: Needs to run as root with X
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 13 Jul 2005 02:15:39 +0000
>From andrewb@ab.bgc.com.au Tue Jul 12 19:15:39 2005
Return-path: <andrewb@ab.bgc.com.au>
Received: from adsl-14-221.swiftdsl.com.au [218.214.14.221] (spamtrap)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DsWmh-0004RD-00; Tue, 12 Jul 2005 19:15:39 -0700
Received: from [127.0.0.1] (helo=sparc.ab.bgc.com.au)
	by adsl-14-221.swiftdsl.com.au with smtp (Exim 4.50)
	id 1DsWma-0007yk-7X; Wed, 13 Jul 2005 10:15:32 +0800
Date: Wed, 13 Jul 2005 10:15:32 +0800
From: Andrew Buckeridge <andrewb@ab.bgc.com.au>
To: submit@bugs.debian.org
Subject: Needs to run as root with X
Message-Id: <20050713101532.321097ec.andrewb@ab.bgc.com.au>
X-Mailer: Sylpheed version 1.0.4 (GTK+ 1.2.10; sparc-unknown-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Mail-From: andrewb@ab.bgc.com.au
X-SA-Exim-Scanned: No (on adsl-14-221.swiftdsl.com.au); SAEximRunCond expanded to false
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

package: eximon4
version: 4.50-8

In Debian eximon has to run as root, but Xing to root is probably not a
good idea.  Having log and spool directories readable by user or group
then eximon will sought of work.  Without access to the spool files
eximon.bin says "can't read spool file", but is still useful.

The eximon script could use newgrp or eximon.bin could be setgid.
The spool directory would then need to be matching group, but then
content scanners (such as clamav-daemon) would also need group access.

In /etc/group:
adm:x:4:clamav
	OR
Debian-exim:x:110:clamav

The question is do you make it group adm or group Debian-exim?
I would make both log and spool group Debian-exim and the script
invoke eximon.bin with sg Debian-exim.

For now I have just made world readable and kept groups the same thus
eximon needs no privilege escalation to half work.  (For privacy spool
files are still not world readable.)

In /etc/clamav/clamd.conf:
AllowSupplementaryGroups

drwxr-xr-x  2 Debian-exim adm         /var/log/exim4
drwxr-xr-x  2 Debian-exim Debian-exim /var/spool/exim4/input/

In line 8 of /etc/logrotate.d/exim4-base:
create 644 Debian-exim adm

An annoyance when I X to root via ssh as can't always set argv[0] when
starting eximon.

The file is always called eximon and the script just puts .bin on the
end and looks elsewhere.  Wouldn't it be simpler to just put the literal
path to the binary?

I have changed line 3 in file /usr/sbin/eximon:
EXIMON_BINARY=/usr/lib/exim4/eximon.bin
-- 
		\|/ ____ \|/
		"@'/ .. \`@"
		/_| \__/ |_\
		   \__U_/
6279EACE 2004-04-23 Andrew Buckeridge <andrewb@bgc.com.au>

---------------------------------------
Received: (at 318039-done) by bugs.debian.org; 14 Jul 2005 09:10:22 +0000
>From ametzler@downhill.at.eu.org Thu Jul 14 02:10:22 2005
Return-path: <ametzler@downhill.at.eu.org>
Received: from smtp-4.hut.fi [130.233.228.94] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1Dszja-0004co-00; Thu, 14 Jul 2005 02:10:22 -0700
Received: from localhost (katosiko.hut.fi [130.233.228.115])
	by smtp-4.hut.fi (8.12.10/8.12.10) with ESMTP id j6E99nQF004925
	for <318039-done@bugs.debian.org>; Thu, 14 Jul 2005 12:09:49 +0300
Received: from smtp-4.hut.fi ([130.233.228.94])
 by localhost (katosiko.hut.fi [130.233.228.115]) (amavisd-new, port 10024)
 with LMTP id 23124-11-2 for <318039-done@bugs.debian.org>;
 Thu, 14 Jul 2005 12:09:49 +0300 (EEST)
Received: from localhost.localdomain (a130-233-4-91.debconf5.hut.fi [130.233.4.91])
	by smtp-4.hut.fi (8.12.10/8.12.10) with ESMTP id j6E90n2L003553
	for <318039-done@bugs.debian.org>; Thu, 14 Jul 2005 12:00:49 +0300
Received: from ametzler by localhost.localdomain with local (Exim 4.50)
	id 1DszaL-00084G-4h
	for 318039-done@bugs.debian.org; Thu, 14 Jul 2005 12:00:49 +0300
Date: Thu, 14 Jul 2005 12:00:49 +0300
From: Andreas Metzler <ametzler@downhill.at.eu.org>
To: 318039-done@bugs.debian.org
Subject: Re: Bug#318039: Needs to run as root with X
Message-ID: <20050714090049.GB5123@localhost.localdomain>
References: <20050713101532.321097ec.andrewb@ab.bgc.com.au> <20050714063117.GA5123@localhost.localdomain> <20050714153233.54902a46.andrewb@ab.bgc.com.au>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20050714153233.54902a46.andrewb@ab.bgc.com.au>
X-GPG-Fingerprint: BCF7 1345 BE42 B5B8 1A57  EE09 1D33 9C65 8B8D 7663
User-Agent: Mutt/1.5.9i
X-TKK-Virus-Scanned: by amavisd-new-2.1.2-hutcc at katosiko.hut.fi
Delivered-To: 318039-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

On 2005-07-14 Andrew Buckeridge <andrewb@ab.bgc.com.au> wrote:
> On Thu, 14 Jul 2005 09:31:17 +0300
> Andreas Metzler <ametzler@downhill.at.eu.org> wrote:
[...]
>> group adm is specifically designated for owning logfiles. By adding a
>> user to this group you generally give him/her (readonly) access to this
>> information.

>> exim4 implements this convention.
 
> Yes, my mistake.  Should be closed.
 
> As user xxx is now in both groups it now works for xxx.
[...]

Thanks for the confirmation. Closing.
           cu andreas