procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

(apparent/suspected) strange umask behavior when run as root

2004-02-07 11:47:08
from [Gary Funck] [Permanent Link] 

A while back, I posted a /etc/procmailrc file that filtered out viruses and
spam
before delivering to the user's mailbox, or further processing via the
user's
.procmailrc file.  To accomplish its task, it did an 'su' as the recipient
user
to run spamassassin on the user's behalf, roughly as follows.

:0 fw:spam.lock
| su $LOGNAME -c 'spamassassin'

It also created various log and mailboxes for the user, along these lines:

:0 Wic
* ! ? test -e mail.log
| touch mail.log && chown $LOGNAME mail.log && chmod 640 mail.log

There was a suggestion that by setting UMASK further up in the recipe
that the chmod could be removed above. It was a good suggestion, and
would have other benefits (security-wise) for some other things that
were later done in the recipe. So I added,
  UMASK=37    # allow owner r/w/x, group r
the new script basically worked, but when it came to running 'su' above,
the 'su' would fail with a message to the effect that "stdin is not a tty'.
Now, 'su' does that if you're not running as root and try to put an su
command to another user inside a shell script. 'su' wants to prompt for
a password, and can't do that from a batch script, so it complains and
doesn't run the command.

I didn't have time to debug this thouroghly. I did add some logging,
with things like:

LOG="USER: "`whoami`"$NL"
LOG="REAL USER: "`id -nru`"$NL"

and sure enough, I saw that the user id had switched to $LOGNAME, well
towards the top of /etc/procmailrc, but after the UMASK setting. There is
a DROPPRIVS at the end of the script, but the debugging logged confirmed
that DROPPRIVS hadn't been run. I ran 'diff' to confirm that my changes were
only UMASK related (add UMASK setting, remove chmod's).

This is an RH 9.0 setting that is sadly out-of-date, and I've seen strange
problems on early RH 9.0 installs that went away after running up2date
(though
those had mainly to do with Perl, and some C libraries).

At the moment, I've reverted back to chmod's and everything is working
again.
I don't have time to properly debug this, but thought I'd mention it as a
possible
problem, and see if anyone else has seen this, or if anyone might have some
theories
on what happened here?



_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: empty body, Gary Funck
Next by Date:  Illegal characters in email-names, Lars Skovgaard
Previous by Thread:  procmail does not filter anymore, Michelle Konzack
Next by Thread:  Re: (apparent/suspected) strange umask behavior when run as root, Bart Schaefer
Indexes:  [Date] [Thread] [Top] [All Lists]