[Pkg-exim4-users] pipe aliases and permissions

Marc Haber mh+pkg-exim4-users at zugschlus.de
Sat Dec 10 10:32:32 UTC 2005 

On Fri, Dec 09, 2005 at 03:21:51PM -0500, Faheem Mitha wrote:
> I did a search in gmane for exim mailing lists. It was a nice surprise to 
> find a Debian-specific one.

It is also prominently mentioned in the Debian package.

> I've been trying to configure the email gateway for roundup 
> (http://roundup.sourceforge.net).
> 
> In the section on configuring an email interface,
> 
> http://roundup.sourceforge.net/doc-0.8/installation.html#configure-an-email-interface
> 
> there are instructions about setting up a mail alias pipe process.
> 
> However, this does not work out of the box, at least on Debian's exim, 
> since the pipe transport is unset,

That is documented in the configuration file right next to the
system_ailases router, and it is also mentioned in the README.

> and also there is a permissions issue, 
> as described at
> 
> http://www.exim.org/exim-html-4.50/doc/html/FAQ.html#TOC198

That's not a permissions issue. You just need to tell exim which user
to run as when invoking the pipe.

> I'm not completely sure what acutually happens here. Apparently Exim runs 
> as different users depending on what it is doing, and in the case it is 
> piped to a process you have to tell it because it doesn't know what user 
> it should run as, or something?

Yes, right.

> However, surely it must be running under some default permissions in that 
> case? What are those?

It runs as the user Debian-exim, which has write access to the mail
logs, and to the mail spool. I hope that it is clear that running user
processes with these set of privileges is almost as bad an idea as
root is.

> Anyway, in the case of roundup the pipe looks like
> 
> newtracker: "|/usr/bin/python /usr/bin/roundup-mailgw 
> /var/lib/roundup/trackers/newtracker/"
> 
> This needs to write to a directory 
> (/var/lib/roundup/trackers/newtracker/db), which I've set the gid bit on, 
> and also set it to be owned by the group roundup. I added Debian-exim to 
> the 'roundup' group.

Exim does not assume the privileges of any additional groups that the
Exim user might be in for local deliveries. This is discussed in
spec.txt, chapter 23. But that's irrelevant here since you set a group
on the router.

> So, if exim was to write to the directory with owner:group 
> Debian-exim:roundup, it would be Ok, but i was getting permission errors. 

Because it was trying to write as Debian-exim:Debian-exim, as watching
a delivery process with -d clearly shows:
changed uid/gid: local delivery to |/tmp/mailpipe <|/tmp/mailpipe> transport=address_pipe
  uid=105 gid=105 pid=5378
  auxiliary group list: <none>
  home=NULL current=/
      
> Funnily enough, when I set that directory (db) to be writable by anyone, 
> the owner:group that I saw for the file created by Exim were in fact 
> Debian-exim:roundup.

That is the result of the gid bit on the directory.

> Can anyone explain to me what is going on here?

See any explanation of UNIX file mode semantics.

> Anyway, I'm using the monolithic config file for exim4, 
> /etc/exim4/exim4.conf.template, and added the following lines at the 
> beginning to fix this.
> 
> SYSTEM_ALIASES_PIPE_TRANSPORT = address_pipe
> SYSTEM_ALIASES_USER = Debian-exim
> SYSTEM_ALIASES_GROUP = roundup
> 
> The section that uses these variables is the exim4-config_system_aliases 
> section.

Setting the group on the transfer seems to work on my system. Now we
need to find out why it doesn't work when setting the group on the
router. I'm going to ask exim-users about this.

> However, my immediate question is whether this will break anything. I have 
> an /etc/aliases as per usual on Debian, but have not done anything to it 
> except the Roundup line quoted above.

All pipe deliveries are done with group roundup, which I consider
unelegant. And it might be a surprise for your successors when they
take over the system from you.

> Apparently the Debian Exim maintainers consider pipe transports for 
> aliases deprecated, and prefer a dedicated router/transport instead. 
> However, at the moment I've no idea how to do this.

Did you take a look at /usr/share/doc/mailman/README.EXIM on a system
with mailman installed as suggested in exim's README?

The following should be a start:

  roundup_router:
    driver = accept
    require_files = /usr/bin/roundup-mailgw
    local_parts = newtracker
    transport = mailman_transport

  roundup_transport:
    driver = pipe
    command = /usr/bin/python /usr/bin/roundup-mailgw /var/lib/roundup/trackers/newtracker/
    current_directory = 
    home_directory = 
    user = 
    group = 

This can possibly be gold-plated by having the router or transport
look in the roundup config to see wheter a local_part should be
handled by roundup.

> BTW, has anyone read The Exim SMTP Mail Server Official Guide for Release 
> 4 (http://www.uit.co.uk/exim-book/)? If so, what did you think of it?

It is an excellent book, straight from "the horses mouth", and much
better as a tutorial as the spec.txt file which is more a reference
than a tutorial.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

More information about the Pkg-exim4-users mailing list