Bug#871688: exim4-base: using su in cronjob invokes a full pam-session. use runuser instead

Jakob Schürz wertstoffe at nurfuerspam.de
Sun Aug 13 20:20:39 UTC 2017

Am 2017-08-13 um 13:53 schrieb Andreas Metzler:
> On 2017-08-13 Jakob Schürz <wertstoffe at nurfuerspam.de> wrote:
>> Am 2017-08-11 um 14:58 schrieb Andreas Metzler:
>>> On 2017-08-10 Jakobus Schürz <wertstoffe at nurfuerspam.de> wrote:
> [...]
>>>>     # if we reach this, invoking exim_tidydb from start-stop-daemon has
>>>>     # failed, most probably because of libpam-tmpdir being in use
>>>>     # (see #373786 and #376165)
> [...] 
>>> for reference:
>>> It seems something is needed that
>>> a) uses PAM (because otherwise start-stop-daemon would have been enough)
>>> b) but does not invoke pam_systemd.
>>> That is true for /etc/pam.d/runuser (but not for /etc/pam.d/runuser-l,
>>> invoked by "runuser --login" or "runuser -")
>> ok. But what is this "something", which needs a pam-session to run tidydb?
> See the comment in the file as quoted above. exim_tidydb needs a writeable
> tmp-dir. If libpam-tmpdir is in use exim4-base.cron.daily's tmp-dir is
> only writeable by root. So we a need "run as other user"-command that
> re-uses libpam-tmpdir to setup a tmp-dir which is writeable by exim.
>> I can see, "runuser --login" or "runuser -" or "runuser -l" also invokes
>> pam_systemd and starts the user-services, which i don't want.
>> I changed the lines a little bit:
>> find $SPOOLDIR/db -maxdepth 1 -name '*.lockfile' -or -name 'log.*' \
>>  -or -type f -printf '%f\0' | \
>>  runuser --shell=/bin/bash \
>>       --command="xargs -0r -n 1 /usr/sbin/exim_tidydb $SPOOLDIR >
>> /dev/null" \
>>       Debian-exim
> So --command instead of --session-command also works. That is great,
> since --session-command is marked as "discouraged" in the runuser
> manpage. I will change this in GIT.

Sounds good! ;)

When do you think, this will reach the goal to be in a debian-package in
the repo? (Currently I'm using stable, so the update will be in testing?)

This bug can be closed then.

Thank you!!


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 898 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-exim4-maintainers/attachments/20170813/61e4e246/attachment.sig>

More information about the Pkg-exim4-maintainers mailing list