dovecot-lda core-dumps when antispam pipe script calls it
Steffen Kaiser
skdovecot at smail.inf.fh-brs.de
Mon Aug 22 07:19:19 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Fri, 19 Aug 2016, ben at indietorrent.org wrote:
> On 2016-08-19 12:17, ben at indietorrent.org wrote:
>> Aha! Clearly, the vmail user cannot read from nor write to /tmp. (Why
>> that is, I have no idea, as the /tmp directory's permissions certainly
Do you have SELinux active?
See almost at the end of
http://wiki2.dovecot.org/WhyDoesItNotWork?highlight=%28selinux%29
>> allow for both; maybe Dovecot implements this as a security measure.)
No. Dovecot does not implement anything like that.
Do you chroot ?
>> This prompted me to change all references to /tmp in the pipe script
>> to ~/tmp, and create this directory:
>>
>> $ whoami
>> vmail
>> $ mkdir ~/tmp && chmod 770 ~/tmp
>> $ /bin/bash /usr/local/bin/sa-learn-pipe.sh --ham < /var/vmail/gtube.txt
>>
>> No errors this time (at least not on the console).
>>
>> But I do get this in /var/log/mail.err:
>>
>> Aug 19 12:04:24 example.com dovecot: lda(sa-training at example.com):
>> Fatal: Can't open delivery mail as raw: Permission denied
>>
>> I'm not sure how to interpret this message. Where is permission being
>> denied? More importantly, what's the fix?
>>
>> Thanks for any hints!
>>
>> -Ben
>
> Apologies for the rapid-fire replies here.
>
> The strace output that I'm capturing in the pipe script pinpointed the
> problem:
>
> open("/root/~/tmp/sendmail-msg-26272.txt", O_RDONLY) = -1 EACCES (Permission
> denied)
Er, '/root/~/tmp/' ??
> There seems to be some expansion occurring that assumes the root user,
> despite executing the pipe script as the vmail user, so I changed all
> references to ~/tmp in the pipe script to /var/vmail/tmp and permission is
> no longer denied.
>
> But, now dovecot-lda is core-dumping. Here is the strace output:
>
> http://pastebin.com/RrKmFhzC
>
> So, I'm back to where I was with this problem two years ago.
>
> At that time, I gave-up, because I couldn't invest the time required to
> compile the latest versions of Dovecot and all plugins from scratch in an
> effort to prove that the bug exists in the latest source.
>
> "Dovecot always logs a detailed error message if something goes wrong. If it
> doesn't, it's considered a bug and will be fixed." -
> http://wiki2.dovecot.org/Logging
>
> I'm happy to help identify the root-cause, but I need some guidance here.
First: check the SELinux thing.
Second: Do you run in a chrooted environment?
Third: Enclose all your script with logging, e.g.:
#!/bin/bash
(
date
echo "$@"
id
id -a
echo environment
env
set
# check for chroot
echo stat /
stat /
echo /proc/1/mountinfo
awk '$5=="/" {print}' </proc/1/mountinfo
echo /proc/$$/mountinfo
awk '$5=="/" {print}' </proc/$$/mountinfo
# enable bash tracing
set -vx
... # old script
) >> /var/tmp/antispam.$$.log 2>&1
Make sure /var/tmp/antispam.$$.log is writeable, maybe create a new
directory with owner vmail.
Make sure you have 2>&1 at the end. Your log misses all the error
messages.
Also, you will now have a log file for each run of the script.
To check for chroot:
stat / should print inode 2, but any mountpoint has inode 2.
/proc/$$/mountinfo displays the physical information of a mount, if both
differ, the current process is chrooted. "1" should be the init process.
In your script:
for opt; do
if [[ "$*" =~ .*ham.* ]]
This makes no sense, either use for loop and test "$opt" here, or do not
use for, but use "$*"; .*ham.* should be quoted anyway.
cat<&0 >> /tmp/sendmail-msg-$$.txt
Well, if for any reason this file exists, ..
cat - >/tmp/sendmail-msg-$$.txt
/usr/lib/dovecot/deliver -d "sa-training at example.com" -m "Training.$mode"
You've already scraped the message from stdin into a file, so add:
< /tmp/sendmail-msg-$$.txt
About the '-p' switch present in the strace-variant:
Please scan the mailing list for the status of it, IMHO, there had been
lots of trouble in certain cases.
The strace variant should use -oLogfile.strace.$$.log in order to separate
the output of the command and strace logging.
- --
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEVAwUBV7qnd3z1H7kL/d9rAQJXWQf9E/ucaEXMy10IE5f7JY3tbZVlROGrz+wk
5rA0/Xe/aFwgNvCzyTX+MV7BblHH//aDwlNs3L4P+bZatCjAVCmoDdQ/WDZ7wr51
mBq/vOjcullnzz8NHv2+gQgRCKhGGd8M+mVjGUlyK6jXEFjwAaivEnRA86AudZi4
ybK0CZKw+Pg+VzDcfGjvO4PHZWAxvbqktqVOUhQwEL/+A/CZ7FNSsBuuZug42TGK
tmghQmAKuwY96djSV/vFax8J8WyVnGKBVLpONP9iMllGkZ7MHGacpfm0MSgsIgPv
DTTdjdk1P6FIQ615rp6BRg0JKaTn7COC6YxMnuaNtlXJ2t/M5zoCNA==
=/xgA
-----END PGP SIGNATURE-----
More information about the dovecot
mailing list