dovecot-lda core-dumps when antispam pipe script calls it

Ben Johnson ben at indietorrent.org
Tue Aug 23 18:20:04 UTC 2016


On 2016-08-22 03:19, Steffen Kaiser wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Fri, 19 Aug 2016, ben at indietorrent.org wrote:
>> On 2016-08-19 12:17, ben at indietorrent.org wrote:
>>> Aha! Clearly, the vmail user cannot read from nor write to /tmp. (Why
>>> that is, I have no idea, as the /tmp directory's permissions 
>>> certainly

Thank you very much for taking the time to investigate my use-case and 
help me work through this, Steffen. I really appreciate it.

> 
> Do you have SELinux active?
> See almost at the end of
> http://wiki2.dovecot.org/WhyDoesItNotWork?highlight=%28selinux%29
> 

No.

# apparmor_status
The program 'apparmor_status' is currently not installed. You can 
install it by typing:
apt install apparmor

# sestatus
The program 'sestatus' is currently not installed. You can install it by 
typing:
apt install policycoreutils

>>> allow for both; maybe Dovecot implements this as a security measure.)
> 
> No. Dovecot does not implement anything like that.
> Do you chroot ?
> 

No. Certainly not intentionally, anyway.

>> The strace output that I'm capturing in the pipe script pinpointed the 
>> problem:
>> 
>> open("/root/~/tmp/sendmail-msg-26272.txt", O_RDONLY) = -1 EACCES 
>> (Permission denied)
> 
> Er, '/root/~/tmp/' ??
> 

I know. It's weird. Presumably, Bash is responsible for this "unusual" 
expansion. The raw script source has ~/tmp, so why would Bash prepend it 
with "/root/", especially when the script is executed as the "vmail" 
user? Perhaps it's academic at this point, because I've changed all 
paths to be absolute and they are now resolved correctly.

> 
> First: check the SELinux thing.
> Second: Do you run in a chrooted environment?
> Third: Enclose all your script with logging, e.g.:
> 
> #!/bin/bash
> (
> date
> echo "$@"
> id
> id -a
> echo environment
> env
> set
> # check for chroot
> echo stat /
> stat /
> echo /proc/1/mountinfo
> awk '$5=="/" {print}' </proc/1/mountinfo
> echo /proc/$$/mountinfo
> awk '$5=="/" {print}' </proc/$$/mountinfo
> # enable bash tracing
> set -vx
> 
> ... # old script
> ) >> /var/tmp/antispam.$$.log 2>&1
> 
> Make sure /var/tmp/antispam.$$.log is writeable, maybe create a new
> directory with owner vmail.
> Make sure you have 2>&1 at the end. Your log misses all the error 
> messages.
> Also, you will now have a log file for each run of the script.
> 
> To check for chroot:
> stat / should print inode 2, but any mountpoint has inode 2.
> /proc/$$/mountinfo displays the physical information of a mount, if
> both differ, the current process is chrooted. "1" should be the init
> process.
> 
> In your script:
> 
> for opt; do
>         if [[ "$*" =~ .*ham.* ]]
> 
> This makes no sense, either use for loop and test "$opt" here, or do
> not use for, but use "$*"; .*ham.* should be quoted anyway.

Nice catch. I am by no means a Bash wizard, and I cobbled this together 
3-4 years ago. I have no idea what I was thinking at the time.

I removed the "for" loop, leaving only the regex check, and it seems to 
work as intended. (FWIW, if I add quotes around the test expression, 
e.g., ".*ham.*", a match is never found and the check fails.)

> cat<&0 >> /tmp/sendmail-msg-$$.txt
> Well, if for any reason this file exists, ..
> cat - >/tmp/sendmail-msg-$$.txt
> 
> 
> /usr/lib/dovecot/deliver -d "sa-training at example.com" -m 
> "Training.$mode"
> You've already scraped the message from stdin into a file, so add:
> < /tmp/sendmail-msg-$$.txt

Yes, but I uncomment that line only for debugging purposes. Normally, I 
do not take the interim step of saving the message contents to disk, in 
which case I want dovecot-lda to read from stdin.

> About the '-p' switch present in the strace-variant:
> Please scan the mailing list for the status of it, IMHO, there had
> been lots of trouble in certain cases.
> 
> The strace variant should use -oLogfile.strace.$$.log in order to
> separate the output of the command and strace logging.
> 
> - -- Steffen Kaiser

Good to know; I have made that adjustment, too.

Bash issues aside, I've taken a step back and attempted to make the 
reproducible test-case as simple as possible, whittling-down the script 
to only the following, and dovecot-lda still segfaults:

http://pastebin.com/zXzBDcvG

I've added a couple of things to Dovecot's configuration, but they don't 
make any difference:

# Required for "vmail" user to be able to call dovecot-lda/deliver.
# See: http://wiki.dovecot.org/LDA ("Logging" section)
service config {
   unix_listener config {
     mode = 0600
     user = vmail
     group = vmail
   }
}

protocol lda {
   # Enable logging for dovecot-lda.
   info_log_path = /var/log/dovecot-lda.log
   log_path = /var/log/dovecot-lda-errors.log
   mail_plugins = sieve quota
}

Yet, nothing is logged to either of these files when the pipe script is 
called.

The permissions on these files look reasonable to me:

-rw-rw----   1 vmail  vmail              0 Aug 23 12:02 
dovecot-lda-errors.log
-rw-rw----   1 vmail  vmail              0 Aug 23 12:01 dovecot-lda.log

Here is my current "doveconf -n" output:

http://pastebin.com/hCgpA009

At this point, this seems obvious, but the problem is definitely with 
using dovecot-lda to send the mail.

If I simply write the contents of the spam/ham message to disk in the 
pipe script, it works fine. But that approach feels "hackish" to me, as 
it doesn't account for sieve, quota, etc. And I want the delivery to be 
logged.

Again, this works fine:

# su vmail
$ /usr/lib/dovecot/deliver -d "sa-training at example.org" -m 
"Training.HAM" -p /var/vmail/gtube.txt

Here's the output from the logging that we added:

http://pastebin.com/rz2f4S4G

Does anything jump-out?

Thanks again for all your help with this!

--Ben

> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> 
> iQEVAwUBV7qnd3z1H7kL/d9rAQJXWQf9E/ucaEXMy10IE5f7JY3tbZVlROGrz+wk
> 5rA0/Xe/aFwgNvCzyTX+MV7BblHH//aDwlNs3L4P+bZatCjAVCmoDdQ/WDZ7wr51
> mBq/vOjcullnzz8NHv2+gQgRCKhGGd8M+mVjGUlyK6jXEFjwAaivEnRA86AudZi4
> ybK0CZKw+Pg+VzDcfGjvO4PHZWAxvbqktqVOUhQwEL/+A/CZ7FNSsBuuZug42TGK
> tmghQmAKuwY96djSV/vFax8J8WyVnGKBVLpONP9iMllGkZ7MHGacpfm0MSgsIgPv
> DTTdjdk1P6FIQ615rp6BRg0JKaTn7COC6YxMnuaNtlXJ2t/M5zoCNA==
> =/xgA
> -----END PGP SIGNATURE-----



More information about the dovecot mailing list