Re: [gentoo-user] Re: executing a command as a nologin user

[Fernando Rodriguez <cyklonite@gmail.com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 07/15/2016 09:45 AM, Fernando Rodriguez wrote:
> On 07/14/2016 09:36 PM, Jonathan Callen wrote:
>> On 07/14/2016 05:19 PM, Fernando Rodriguez wrote:
>>> On 07/13/2016 01:41 PM, wabe wrote:
>>>> Fernando Rodriguez <cyklonite@gmail.com> wrote:
>>>
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA256
>>>>>
>>>>> On 07/13/2016 07:10 AM, Alan McKinnon wrote:
>>>>>> On 12/07/2016 03:47, jens w wrote:  
>>>>>>> .procmailrc
>>>>>>> :0 c
>>>>>>> * !^X-Loop: name@example.com  
>>>>>>> | formail -X "From:" | $HOME/bin/script.sh  
>>>>>>>
>>>>>>> procmail.log
>>>>>>> procmail: Executing " formail -X "From:" | $HOME/bin/script.sh
>>>>>>>
>>>>>>> for incoming mail, a script is executed. logfile has the same
>>>>>>> entry as it is in other users. but the script do nothing.
>>>>>>>
>>>>>>> How executing a command as a nologin user?
>>>>>>>  
>>>>>>
>>>>>>
>>>>>> You can't, not the way you are doing it.
>>>>>> You want to launch a shell script for the user, but the user's
>>>>>> shell is /sbin/nologin. This exits immediately without launching
>>>>>> the script.
>>>>>>
>>>>>> Give the user a real shell.
>>>>>>
>>>>>> Alan
>>>>>>   
>>>>>
>>>>> I've been following this thread and thinking the same thing but
>>>>> wasn't sure.
>>>>>
>>>>> What if you invoke the shell directly instead of the script, either:
>>>>> /bin/sh -c "<path to script>" or /bin/sh -c "$(cat <script>)"?
>>>>>
>>>>> If procmail uses the system() call to launch the script it won't work
>>>>> but if it uses fork()/exec() or similar I think that it should work.
>>>
>>>> I don't know how procmail is launching scripts so I don't know if
>>>> that what I say now makes sense. :-)
>>>
>>>> I tested if another regular user (lets call him user1) can execute 
>>>> scripts that are owned by nologinuser. It works as long as the path 
>>>> and the script itself are readable and executable by user1.
>>>> If the script is writing stuff into /home/nologinuser then it is
>>>> also necessary that the home directory is writable by user1.
>>>
>>>> Of course user1 hasn't executed the script as nologinuser. I don't
>>>> know if procmail is doing so.
>>>
>>>> --
>>>> Regards
>>>> wabe
>>>
>>>
>>> Yes, you can execute any scripts as long as you have permissions. A program
>>> can use the exec() family of functions to do that. But if the program calls
>>> the system() function or similar it will try to use the user shell to execute
>>> the command. If the shell is nologin it will refuse to do so.
>>>
>>>
> 
>> That's not actually true either.  The system(3) function is defined to
>> create a child process using fork(2), then execute the specified command
>> using execl(3) as follows:
> 
>>     execl("/bin/sh", "sh", "-c", command, (char *) 0);
> 
>> Note that this is not dependent on the user's normal shell, the shell
>> /bin/sh is *always* used.
> 
> 
> You're right thanks.
> And I checked procmail and it tries execvp() first and if that fails it execv()s 
> /bin/sh with the command as arguments so we're probably barking at the wrong tree.

Ah, procmail does the shell lookup.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJXiPEYAAoJEPbOFX/5UlwcVdkP/3niV4rI6o1Eas+VklF3l8ai
lRab+/2Y0auPofSYYwYiVeKtB+bB4YsYObgSBy9bsLUEJR5vKLaOoGJG1xEHUhXR
BJh/CBOcT8/YcvewjfBwCIagBRPlFk9tniIqzmJXQ611ABGHrXokwQ08znLNylsO
rEJShDWEXshQedrUah6Im0dwkiWRTieCttmYBsOQdrPFlRohtA1tdD43AmxYkjV0
2+Z2iN4y7nPJ3zgD0sIDT9AqdoMuZRGBYwHGsrQw8Z1SnWuqUD2jO34uzJVfy3O5
0YfnB/xCa9h+0kSfOSbqoAwQaJTCQp0Pp13/Ltt9yug7gwa1dHUqVkZDrA0KPcAF
GouibkkpxvLSF3bgabHnox6FDgcn5bv7zOUf3gkVlb01gKO+DHqWXybD7WwS+O2w
TFInvY2RaYcCnzdL5rRj3arrPC4aYle3EruRSef6RoMt3SHcOm1Fk4lt6MN8bwya
5romAct/HIVrRrCdMs11SjhkjRe/fxckOvyiGb0em24qapFSt5x3+UeARcFP/Rsz
zkN5b5j2ouCQ4TJ+7wdW6ZnXBuidUZNCqgQyN8uCq8z+GTMD1X1PPmXPhJcmH5Qc
mXM5YrQZOgE1IYJgnHW12YlIngWteHQYrIuoUjfYpjuG0tgBq+VrOTwIeVj2Ggbu
fkPFWbp9/8/o3vo0nTmW
=N2X8
-----END PGP SIGNATURE-----