Bug#871688: exim4-base: using su in cronjob invokes a full pam-session. use runuser instead
Jakob Schürz
wertstoffe at nurfuerspam.de
Sun Aug 13 20:20:39 UTC 2017
Am 2017-08-13 um 13:53 schrieb Andreas Metzler:
> On 2017-08-13 Jakob Schürz <wertstoffe at nurfuerspam.de> wrote:
>> Am 2017-08-11 um 14:58 schrieb Andreas Metzler:
>>> On 2017-08-10 Jakobus Schürz <wertstoffe at nurfuerspam.de> wrote:
> [...]
>>>> # if we reach this, invoking exim_tidydb from start-stop-daemon has
>>>> # failed, most probably because of libpam-tmpdir being in use
>>>> # (see #373786 and #376165)
> [...]
>>> for reference:
>>> It seems something is needed that
>>> a) uses PAM (because otherwise start-stop-daemon would have been enough)
>>> b) but does not invoke pam_systemd.
>
>>> That is true for /etc/pam.d/runuser (but not for /etc/pam.d/runuser-l,
>>> invoked by "runuser --login" or "runuser -")
>
>> ok. But what is this "something", which needs a pam-session to run tidydb?
>
> See the comment in the file as quoted above. exim_tidydb needs a writeable
> tmp-dir. If libpam-tmpdir is in use exim4-base.cron.daily's tmp-dir is
> only writeable by root. So we a need "run as other user"-command that
> re-uses libpam-tmpdir to setup a tmp-dir which is writeable by exim.
>
>> I can see, "runuser --login" or "runuser -" or "runuser -l" also invokes
>> pam_systemd and starts the user-services, which i don't want.
>
>> I changed the lines a little bit:
>
>> find $SPOOLDIR/db -maxdepth 1 -name '*.lockfile' -or -name 'log.*' \
>> -or -type f -printf '%f\0' | \
>> runuser --shell=/bin/bash \
>> --command="xargs -0r -n 1 /usr/sbin/exim_tidydb $SPOOLDIR >
>> /dev/null" \
>> Debian-exim
>
> So --command instead of --session-command also works. That is great,
> since --session-command is marked as "discouraged" in the runuser
> manpage. I will change this in GIT.
Sounds good! ;)
When do you think, this will reach the goal to be in a debian-package in
the repo? (Currently I'm using stable, so the update will be in testing?)
This bug can be closed then.
Thank you!!
jakob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 898 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-exim4-maintainers/attachments/20170813/61e4e246/attachment.sig>
More information about the Pkg-exim4-maintainers
mailing list