Bug#871688: exim4-base: using su in cronjob invokes a full pam-session. use runuser instead

Jakob Schürz wertstoffe at nurfuerspam.de
Sun Aug 13 20:20:10 UTC 2017 

Am 2017-08-11 um 14:58 schrieb Andreas Metzler:
> On 2017-08-10 Jakobus Schürz <wertstoffe at nurfuerspam.de> wrote:
>> Package: exim4-base
>> Version: 4.89-2+deb9u1
>> Severity: normal
> 
>> Dear Maintainer,
> 
>> I have some systemd --user services from other packages.
>> The units are located in /etc/systemd/user/ or /usr/lib/systemd/user/
>> and enabled on installing.
> 
>> When a daemon uses su or sudo on debian, it starts a service
>> user@$UID.service which is a systemd-daemon for the user-session. This
>> sessions are normally not started for Daemons with UID below 1000
>> (except Debian-gdm).
> 
>> I asked on the systemd-mailinglist, whats the problem, because sometimes
>> exim starts an user-session (and with this the user-services which are
>> thought for login-users with UID greater-equal 1000).
>> They told me, there must be the use of su or sudo in some scripts from
>> the daemon.
>> I looked around and found, that there is su used in
>> /etc/cron.daily/exim4-base 
> 
>> You find my changes below to use runuser instead of su, which solves the
>> problems coming from the su-command.
> [...]
>> if [ -x /usr/sbin/exim_tidydb ]; then
>>   cd $SPOOLDIR/db || exit 1
>>   if ! find $SPOOLDIR/db -maxdepth 1 -name '*.lockfile' -or -name 'log.*' \
>>     -or -type f -printf '%f\0' | \
>>       xargs -0r -n 1 \
>>       start-stop-daemon --start --exec /usr/sbin/exim_tidydb \
>>       --chuid Debian-exim:Debian-exim -- $SPOOLDIR > /dev/null; then
>>     # if we reach this, invoking exim_tidydb from start-stop-daemon has
>>     # failed, most probably because of libpam-tmpdir being in use
>>     # (see #373786 and #376165)
>>     find $SPOOLDIR/db -maxdepth 1 -name '*.lockfile' -or -name 'log.*' \
>>     -or -type f -printf '%f\0' | \
>>     runuser --shell=/bin/bash \
>>          Debian-exim \
>>          --session-command="xargs -0r -n 1 /usr/sbin/exim_tidydb $SPOOLDIR > /dev/null"
>>   fi
>> fi
> 
> Hello,
> 
> for reference:
> It seems something is needed that
> a) uses PAM (because otherwise start-stop-daemon would have been enough)
> b) but does not invoke pam_systemd.
> 
> That is true for /etc/pam.d/runuser (but not for /etc/pam.d/runuser-l,
> invoked by "runuser --login" or "runuser -")

ok. But what is this "something", which needs a pam-session to run tidydb?

I can see, "runuser --login" or "runuser -" or "runuser -l" also invokes
pam_systemd and starts the user-services, which i don't want.

I changed the lines a little bit:

find $SPOOLDIR/db -maxdepth 1 -name '*.lockfile' -or -name 'log.*' \
 -or -type f -printf '%f\0' | \
 runuser --shell=/bin/bash \
      --command="xargs -0r -n 1 /usr/sbin/exim_tidydb $SPOOLDIR >
/dev/null" \
      Debian-exim

I tried this manually, and it works... The cronjob did not fail anymore,
and the db got tidied.

bye jakob

More information about the Pkg-exim4-maintainers mailing list