Bug#871688: exim4-base: using su in cronjob invokes a full pam-session. use runuser instead

Andreas Metzler ametzler at bebt.de
Fri Aug 11 12:58:36 UTC 2017 

On 2017-08-10 Jakobus Schürz <wertstoffe at nurfuerspam.de> wrote:
> Package: exim4-base
> Version: 4.89-2+deb9u1
> Severity: normal

> Dear Maintainer,

> I have some systemd --user services from other packages.
> The units are located in /etc/systemd/user/ or /usr/lib/systemd/user/
> and enabled on installing.

> When a daemon uses su or sudo on debian, it starts a service
> user@$UID.service which is a systemd-daemon for the user-session. This
> sessions are normally not started for Daemons with UID below 1000
> (except Debian-gdm).

> I asked on the systemd-mailinglist, whats the problem, because sometimes
> exim starts an user-session (and with this the user-services which are
> thought for login-users with UID greater-equal 1000).
> They told me, there must be the use of su or sudo in some scripts from
> the daemon.
> I looked around and found, that there is su used in
> /etc/cron.daily/exim4-base 

> You find my changes below to use runuser instead of su, which solves the
> problems coming from the su-command.
[...]
> if [ -x /usr/sbin/exim_tidydb ]; then
>   cd $SPOOLDIR/db || exit 1
>   if ! find $SPOOLDIR/db -maxdepth 1 -name '*.lockfile' -or -name 'log.*' \
>     -or -type f -printf '%f\0' | \
>       xargs -0r -n 1 \
>       start-stop-daemon --start --exec /usr/sbin/exim_tidydb \
>       --chuid Debian-exim:Debian-exim -- $SPOOLDIR > /dev/null; then
>     # if we reach this, invoking exim_tidydb from start-stop-daemon has
>     # failed, most probably because of libpam-tmpdir being in use
>     # (see #373786 and #376165)
>     find $SPOOLDIR/db -maxdepth 1 -name '*.lockfile' -or -name 'log.*' \
>     -or -type f -printf '%f\0' | \
>     runuser --shell=/bin/bash \
>          Debian-exim \
>          --session-command="xargs -0r -n 1 /usr/sbin/exim_tidydb $SPOOLDIR > /dev/null"
>   fi
> fi

Hello,

for reference:
It seems something is needed that
a) uses PAM (because otherwise start-stop-daemon would have been enough)
b) but does not invoke pam_systemd.

That is true for /etc/pam.d/runuser (but not for /etc/pam.d/runuser-l,
invoked by "runuser --login" or "runuser -")

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

More information about the Pkg-exim4-maintainers mailing list