Improve get-token reliability

On modern systems, there are issues with get-token calling itself when
invoked as root. Update routers to normalize where get-token is called
so that it is always called after seteuid() in the delivery process.

This is still not ideal: exim has to run without a PAG, and there's no
guarantee the directory / environment options will be run after
changing to the delivery user in the future.

Add `check_owner = false' to appendfile routers. We have patched exim
to support delivery into afs because it is overly paranoid about
chown() failures. Patch uses check_owner flag to allow chown() failure
since exim will ignore the owner in other cases anyway when it is
enabled.

Move tokens stashes to /var/local/mail-tokens rather than storing in
/tmp.

Leave some extra debugging in get-token for now.

diff --git a/conf.d/transport/30_exim4-config_maildir_home b/conf.d/transport/30_exim4-config_maildir_home
index 594cc0e..318f983 100644 (file)
--- a/conf.d/transport/30_exim4-config_maildir_home
+++ b/conf.d/transport/30_exim4-config_maildir_home
@@ -47,3 +47,4 @@ maildir_home:
   current_directory = /
   # hcoop-change: Try 20 times rather than 10 before deferring.
   maildir_retries = 20
+  check_owner = false
\ No newline at end of file

diff --git a/conf.d/transport/35_exim4-config_address_directory b/conf.d/transport/35_exim4-config_address_directory
index 47d8962..d976f4b 100644 (file)
--- a/conf.d/transport/35_exim4-config_address_directory
+++ b/conf.d/transport/35_exim4-config_address_directory
@@ -2,16 +2,21 @@
 # or .forward files if the path ends in "/", which causes it to be treated
 # as a directory name rather than a file name.
 
-# hcoop-change: Add bogus group line to make sure get-token gets executed
+# hcoop-change: Add bogus group line to make sure get-token gets
+# executed and ignore owner
 
 address_directory:
   debug_print = "T: address_directory for $local_part@$domain"
   driver = appendfile
-  group = mail${run{/etc/exim4/get-token ${local_part}}{}}
+  directory = ${address_file}${run{/etc/exim4/get-token ${local_part}}{}}
+#  group = mail${run{/etc/exim4/get-token ${local_part}}{}}
   delivery_date_add
   envelope_to_add
   return_path_add
   check_string = ""
   escape_string = ""
+  check_owner = false
   maildir_format
-
+  current_directory = /
+  maildir_retries = 20
+  mode_fail_narrower = false
\ No newline at end of file

diff --git a/conf.d/transport/40_exim4-config_virtual_delivery b/conf.d/transport/40_exim4-config_virtual_delivery
index d18a328..5bda73b 100644 (file)
--- a/conf.d/transport/40_exim4-config_virtual_delivery
+++ b/conf.d/transport/40_exim4-config_virtual_delivery
@@ -9,6 +9,7 @@ virtual_delivery:
   group = nogroup
   mode = 0600
   mode_fail_narrower = false
+  check_owner = false
   envelope_to_add
   return_path_add
   directory = ${extract{mail}{$address_data}}${run{/etc/exim4/get-token \

diff --git a/get-token b/get-token
index b7b5e02..e6cd16c 100755 (executable)
--- a/get-token
+++ b/get-token
@@ -13,7 +13,10 @@
 
 REALUSER=$(whoami)
 USER=$1
-LOGFILE=/tmp/exim4/weird-error.log
+LOGFILE=/var/local/mail-tokens/weird-error.log
+
+echo "`date` $REALUSER $USER (`groups`): $@" >> $LOGFILE
+#ps -eo euser,ruser,suser,fuser,comm,pid --ppid=$PPID --pid=$PPID --forest >> $LOGFILE
 
 if test "$REALUSER" = "root"; then
     if test "$2" = "norecurse"; then
@@ -36,11 +39,11 @@ fi
 
 # Make sure USER exists, and resolve UIDs to a login name
 USER=$(getent passwd "$USER" | cut -d':' -f 1)
-LOGFILE=/tmp/exim4/get-token-log.$USER
+LOGFILE=/var/local/mail-tokens/get-token-log.$USER
 
 if test -z "$USER"; then
     echo "$USER is not a local user, so ignoring them" \
-        >> /tmp/exim4/weird-error.log
+        >> /var/local/mail-tokens/weird-error.log
     exit 1
 fi
 
@@ -59,19 +62,26 @@ if test "$2" = "debug"; then
     echo "Debugging output: $*"
 fi
 
+date
+groups
+
 # set the credentials cache
-export KRB5CCNAME=FILE:/tmp/exim4/krb5cc_$USER.email
+export KRB5CCNAME=FILE:/var/local/mail-tokens/krb5cc_$USER.email
 
 # eliminate any previous tokens
-kdestroy
-unlog
+#kdestroy
+#unlog
 KEYTAB=/etc/keytabs/user.daemon/$USER
 
 # display command-to-be-invoked as a sanity check
-echo kinit -kt $KEYTAB $USER/daemon@HCOOP.NET
+set -x
 
-kinit -kt $KEYTAB $USER/daemon@HCOOP.NET
-aklog
+(
+flock -s 666
+krenew -vtH 30 || kinit -V -kt $KEYTAB $USER/daemon@HCOOP.NET
+#aklog
 
 # list tokens, for the sake of debugging
-#tokens
+tokens
+
+) 666>/var/local/mail-tokens/lock.$USER