From: Clinton Ebadi Date: Tue, 19 May 2015 06:21:26 +0000 (-0400) Subject: Improve get-token reliability X-Git-Url: https://git.hcoop.net/hcoop/config/exim.git/commitdiff_plain/ebec2a0b048ff83934b06f4324496b11173954a3 Improve get-token reliability On modern systems, there are issues with get-token calling itself when invoked as root. Update routers to normalize where get-token is called so that it is always called after seteuid() in the delivery process. This is still not ideal: exim has to run without a PAG, and there's no guarantee the directory / environment options will be run after changing to the delivery user in the future. Add `check_owner = false' to appendfile routers. We have patched exim to support delivery into afs because it is overly paranoid about chown() failures. Patch uses check_owner flag to allow chown() failure since exim will ignore the owner in other cases anyway when it is enabled. Move tokens stashes to /var/local/mail-tokens rather than storing in /tmp. Leave some extra debugging in get-token for now. --- diff --git a/conf.d/transport/30_exim4-config_maildir_home b/conf.d/transport/30_exim4-config_maildir_home index 594cc0e..318f983 100644 --- a/conf.d/transport/30_exim4-config_maildir_home +++ b/conf.d/transport/30_exim4-config_maildir_home @@ -47,3 +47,4 @@ maildir_home: current_directory = / # hcoop-change: Try 20 times rather than 10 before deferring. maildir_retries = 20 + check_owner = false \ No newline at end of file diff --git a/conf.d/transport/35_exim4-config_address_directory b/conf.d/transport/35_exim4-config_address_directory index 47d8962..d976f4b 100644 --- a/conf.d/transport/35_exim4-config_address_directory +++ b/conf.d/transport/35_exim4-config_address_directory @@ -2,16 +2,21 @@ # or .forward files if the path ends in "/", which causes it to be treated # as a directory name rather than a file name. -# hcoop-change: Add bogus group line to make sure get-token gets executed +# hcoop-change: Add bogus group line to make sure get-token gets +# executed and ignore owner address_directory: debug_print = "T: address_directory for $local_part@$domain" driver = appendfile - group = mail${run{/etc/exim4/get-token ${local_part}}{}} + directory = ${address_file}${run{/etc/exim4/get-token ${local_part}}{}} +# group = mail${run{/etc/exim4/get-token ${local_part}}{}} delivery_date_add envelope_to_add return_path_add check_string = "" escape_string = "" + check_owner = false maildir_format - + current_directory = / + maildir_retries = 20 + mode_fail_narrower = false \ No newline at end of file diff --git a/conf.d/transport/40_exim4-config_virtual_delivery b/conf.d/transport/40_exim4-config_virtual_delivery index d18a328..5bda73b 100644 --- a/conf.d/transport/40_exim4-config_virtual_delivery +++ b/conf.d/transport/40_exim4-config_virtual_delivery @@ -9,6 +9,7 @@ virtual_delivery: group = nogroup mode = 0600 mode_fail_narrower = false + check_owner = false envelope_to_add return_path_add directory = ${extract{mail}{$address_data}}${run{/etc/exim4/get-token \ diff --git a/get-token b/get-token index b7b5e02..e6cd16c 100755 --- a/get-token +++ b/get-token @@ -13,7 +13,10 @@ REALUSER=$(whoami) USER=$1 -LOGFILE=/tmp/exim4/weird-error.log +LOGFILE=/var/local/mail-tokens/weird-error.log + +echo "`date` $REALUSER $USER (`groups`): $@" >> $LOGFILE +#ps -eo euser,ruser,suser,fuser,comm,pid --ppid=$PPID --pid=$PPID --forest >> $LOGFILE if test "$REALUSER" = "root"; then if test "$2" = "norecurse"; then @@ -36,11 +39,11 @@ fi # Make sure USER exists, and resolve UIDs to a login name USER=$(getent passwd "$USER" | cut -d':' -f 1) -LOGFILE=/tmp/exim4/get-token-log.$USER +LOGFILE=/var/local/mail-tokens/get-token-log.$USER if test -z "$USER"; then echo "$USER is not a local user, so ignoring them" \ - >> /tmp/exim4/weird-error.log + >> /var/local/mail-tokens/weird-error.log exit 1 fi @@ -59,19 +62,26 @@ if test "$2" = "debug"; then echo "Debugging output: $*" fi +date +groups + # set the credentials cache -export KRB5CCNAME=FILE:/tmp/exim4/krb5cc_$USER.email +export KRB5CCNAME=FILE:/var/local/mail-tokens/krb5cc_$USER.email # eliminate any previous tokens -kdestroy -unlog +#kdestroy +#unlog KEYTAB=/etc/keytabs/user.daemon/$USER # display command-to-be-invoked as a sanity check -echo kinit -kt $KEYTAB $USER/daemon@HCOOP.NET +set -x -kinit -kt $KEYTAB $USER/daemon@HCOOP.NET -aklog +( +flock -s 666 +krenew -vtH 30 || kinit -V -kt $KEYTAB $USER/daemon@HCOOP.NET +#aklog # list tokens, for the sake of debugging -#tokens +tokens + +) 666>/var/local/mail-tokens/lock.$USER