* [gentoo-user] executing a command as a nologin user
@ 2016-07-12 1:47 jens w
2016-07-12 14:17 ` wabe
2016-07-13 11:10 ` Alan McKinnon
0 siblings, 2 replies; 21+ messages in thread
From: jens w @ 2016-07-12 1:47 UTC (permalink / raw
To: gentoo-user
.procmailrc
:0 c
* !^X-Loop: name@example.com
| formail -X "From:" | $HOME/bin/script.sh
procmail.log
procmail: Executing " formail -X "From:" | $HOME/bin/script.sh
for incoming mail, a script is executed. logfile has the same entry as
it is in other users. but the script do nothing.
How executing a command as a nologin user?
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [gentoo-user] executing a command as a nologin user
2016-07-12 1:47 [gentoo-user] executing a command as a nologin user jens w
@ 2016-07-12 14:17 ` wabe
2016-07-12 20:39 ` jens w
2016-07-13 11:10 ` Alan McKinnon
1 sibling, 1 reply; 21+ messages in thread
From: wabe @ 2016-07-12 14:17 UTC (permalink / raw
To: gentoo-user
jens w <jw@lxsbbs.eu> wrote:
> .procmailrc
> :0 c
> * !^X-Loop: name@example.com
> | formail -X "From:" | $HOME/bin/script.sh
>
> procmail.log
> procmail: Executing " formail -X "From:" | $HOME/bin/script.sh
>
> for incoming mail, a script is executed. logfile has the same entry as
> it is in other users. but the script do nothing.
>
> How executing a command as a nologin user?
Is script.sh readable and executable for the procmail user?
Does script.sh contain a definition for a command interpreter
(something like #!/bin/sh)?
--
Regards
wabe
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [gentoo-user] executing a command as a nologin user
2016-07-12 14:17 ` wabe
@ 2016-07-12 20:39 ` jens w
2016-07-12 20:54 ` Neil Bothwick
2016-07-12 20:59 ` Alan McKinnon
0 siblings, 2 replies; 21+ messages in thread
From: jens w @ 2016-07-12 20:39 UTC (permalink / raw
To: gentoo-user
Am Tue, 12 Jul 2016 16:17:42 +0200
schrieb wabe <wabenbau@gmail.com>:
> jens w <jw@lxsbbs.eu> wrote:
>
> > .procmailrc
> > :0 c
> > * !^X-Loop: name@example.com
> > | formail -X "From:" | $HOME/bin/script.sh
> >
> > procmail.log
> > procmail: Executing " formail -X "From:" | $HOME/bin/script.sh
> >
> > for incoming mail, a script is executed. logfile has the same entry
> > as it is in other users. but the script do nothing.
> >
> > How executing a command as a nologin user?
>
> Is script.sh readable and executable for the procmail user?
>
> Does script.sh contain a definition for a command interpreter
> (something like #!/bin/sh)?
yes and yes.
it works for default user. it does not work for nologin user.
as workaround I forward the mail to a helper-user, and process it there
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [gentoo-user] executing a command as a nologin user
2016-07-12 20:39 ` jens w
@ 2016-07-12 20:54 ` Neil Bothwick
2016-07-12 21:51 ` jens w
2016-07-12 20:59 ` Alan McKinnon
1 sibling, 1 reply; 21+ messages in thread
From: Neil Bothwick @ 2016-07-12 20:54 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 1092 bytes --]
On Tue, 12 Jul 2016 22:39:59 +0200, jens w wrote:
> > > .procmailrc
> > > :0 c
> > > * !^X-Loop: name@example.com
> > > | formail -X "From:" | $HOME/bin/script.sh
> > >
> > > procmail.log
> > > procmail: Executing " formail -X "From:" | $HOME/bin/script.sh
> > >
> > > for incoming mail, a script is executed. logfile has the same entry
> > > as it is in other users. but the script do nothing.
> > >
> > > How executing a command as a nologin user?
> >
> > Is script.sh readable and executable for the procmail user?
> >
> > Does script.sh contain a definition for a command interpreter
> > (something like #!/bin/sh)?
>
> yes and yes.
> it works for default user. it does not work for nologin user.
> as workaround I forward the mail to a helper-user, and process it there
So you have copies of the same script in each user's $HOME/bin? Why not
call them from a single location? Are you sure the scripts are identical?
Does the procmail log give any clues?
--
Neil Bothwick
I don't know if I can assimilate one more Borg Tagline!
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [gentoo-user] executing a command as a nologin user
2016-07-12 20:39 ` jens w
2016-07-12 20:54 ` Neil Bothwick
@ 2016-07-12 20:59 ` Alan McKinnon
2016-07-12 21:58 ` jens w
1 sibling, 1 reply; 21+ messages in thread
From: Alan McKinnon @ 2016-07-12 20:59 UTC (permalink / raw
To: gentoo-user
On 12/07/2016 22:39, jens w wrote:
> Am Tue, 12 Jul 2016 16:17:42 +0200
> schrieb wabe <wabenbau@gmail.com>:
>
>> jens w <jw@lxsbbs.eu> wrote:
>>
>>> .procmailrc
>>> :0 c
>>> * !^X-Loop: name@example.com
>>> | formail -X "From:" | $HOME/bin/script.sh
>>>
>>> procmail.log
>>> procmail: Executing " formail -X "From:" | $HOME/bin/script.sh
>>>
>>> for incoming mail, a script is executed. logfile has the same entry
>>> as it is in other users. but the script do nothing.
>>>
>>> How executing a command as a nologin user?
>>
>> Is script.sh readable and executable for the procmail user?
>>
>> Does script.sh contain a definition for a command interpreter
>> (something like #!/bin/sh)?
>
> yes and yes.
> it works for default user. it does not work for nologin user.
> as workaround I forward the mail to a helper-user, and process it there
>
>
does that nologin user have a mailbox? A real one, actually on the disk?
Alan
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [gentoo-user] executing a command as a nologin user
2016-07-12 20:54 ` Neil Bothwick
@ 2016-07-12 21:51 ` jens w
0 siblings, 0 replies; 21+ messages in thread
From: jens w @ 2016-07-12 21:51 UTC (permalink / raw
To: gentoo-user
Am Tue, 12 Jul 2016 21:54:46 +0100
schrieb Neil Bothwick <neil@digimed.co.uk>:
> On Tue, 12 Jul 2016 22:39:59 +0200, jens w wrote:
>
> > > > .procmailrc
> > > > :0 c
> > > > * !^X-Loop: name@example.com
> > > > | formail -X "From:" | $HOME/bin/script.sh
> > > >
> > > > procmail.log
> > > > procmail: Executing " formail -X "From:" | $HOME/bin/script.sh
> > > >
> > > > for incoming mail, a script is executed. logfile has the same
> > > > entry as it is in other users. but the script do nothing.
> > > >
> > > > How executing a command as a nologin user?
> > >
> > > Is script.sh readable and executable for the procmail user?
> > >
> > > Does script.sh contain a definition for a command interpreter
> > > (something like #!/bin/sh)?
> >
> > yes and yes.
> > it works for default user. it does not work for nologin user.
> > as workaround I forward the mail to a helper-user, and process it
> > there
>
> So you have copies of the same script in each user's $HOME/bin? Why
> not call them from a single location? Are you sure the scripts are
> identical?
is one user, i will send an alert.
>
> Does the procmail log give any clues?
>
>
same entry default / nologin user. see above.
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [gentoo-user] executing a command as a nologin user
2016-07-12 20:59 ` Alan McKinnon
@ 2016-07-12 21:58 ` jens w
2016-07-13 1:02 ` wabe
0 siblings, 1 reply; 21+ messages in thread
From: jens w @ 2016-07-12 21:58 UTC (permalink / raw
To: gentoo-user
Am Tue, 12 Jul 2016 22:59:16 +0200
schrieb Alan McKinnon <alan.mckinnon@gmail.com>:
> On 12/07/2016 22:39, jens w wrote:
> > Am Tue, 12 Jul 2016 16:17:42 +0200
> > schrieb wabe <wabenbau@gmail.com>:
> >
> >> jens w <jw@lxsbbs.eu> wrote:
> >>
> >>> .procmailrc
> >>> :0 c
> >>> * !^X-Loop: name@example.com
> >>> | formail -X "From:" | $HOME/bin/script.sh
> >>>
> >>> procmail.log
> >>> procmail: Executing " formail -X "From:" | $HOME/bin/script.sh
> >>>
> >>> for incoming mail, a script is executed. logfile has the same
> >>> entry as it is in other users. but the script do nothing.
> >>>
> >>> How executing a command as a nologin user?
> >>
> >> Is script.sh readable and executable for the procmail user?
> >>
> >> Does script.sh contain a definition for a command interpreter
> >> (something like #!/bin/sh)?
> >
> > yes and yes.
> > it works for default user. it does not work for nologin user.
> > as workaround I forward the mail to a helper-user, and process it
> > there
> >
> >
>
>
> does that nologin user have a mailbox? A real one, actually on the
> disk?
real user, real unix useraccount. we will exchange confidential news,
but the user can't use pgp. so he has a local mailaccount, so we change
news via ssl over my mailserver.
when a message arrives for the user, I will send a alert to his
aol-account.
I test the script before, but it works not on nologin-user.
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [gentoo-user] executing a command as a nologin user
2016-07-12 21:58 ` jens w
@ 2016-07-13 1:02 ` wabe
2016-07-13 10:31 ` jens w
0 siblings, 1 reply; 21+ messages in thread
From: wabe @ 2016-07-13 1:02 UTC (permalink / raw
To: gentoo-user
jens w <jw@lxsbbs.eu> wrote:
> Am Tue, 12 Jul 2016 22:59:16 +0200
> schrieb Alan McKinnon <alan.mckinnon@gmail.com>:
>
> > On 12/07/2016 22:39, jens w wrote:
> > > Am Tue, 12 Jul 2016 16:17:42 +0200
> > > schrieb wabe <wabenbau@gmail.com>:
> > >
> > >> jens w <jw@lxsbbs.eu> wrote:
> > >>
> > >>> .procmailrc
> > >>> :0 c
> > >>> * !^X-Loop: name@example.com
> > >>> | formail -X "From:" | $HOME/bin/script.sh
> > >>>
> > >>> procmail.log
> > >>> procmail: Executing " formail -X "From:" | $HOME/bin/script.sh
> > >>>
> > >>> for incoming mail, a script is executed. logfile has the same
> > >>> entry as it is in other users. but the script do nothing.
> > >>>
> > >>> How executing a command as a nologin user?
> > >>
> > >> Is script.sh readable and executable for the procmail user?
> > >>
> > >> Does script.sh contain a definition for a command interpreter
> > >> (something like #!/bin/sh)?
> > >
> > > yes and yes.
> > > it works for default user. it does not work for nologin user.
> > > as workaround I forward the mail to a helper-user, and process it
> > > there
> > >
> > >
> >
> >
> > does that nologin user have a mailbox? A real one, actually on the
> > disk?
>
> real user, real unix useraccount. we will exchange confidential news,
> but the user can't use pgp. so he has a local mailaccount, so we
> change news via ssl over my mailserver.
> when a message arrives for the user, I will send a alert to his
> aol-account.
>
> I test the script before, but it works not on nologin-user.
Are you sure that the HOME envar is defined for the "nologin-user"?
Is there a existing home directory defined in /etc/passwd for this
user?
--
Regards
wabe
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [gentoo-user] executing a command as a nologin user
2016-07-13 1:02 ` wabe
@ 2016-07-13 10:31 ` jens w
2016-07-15 13:50 ` Fernando Rodriguez
0 siblings, 1 reply; 21+ messages in thread
From: jens w @ 2016-07-13 10:31 UTC (permalink / raw
To: gentoo-user
Am Wed, 13 Jul 2016 03:02:50 +0200
schrieb wabe <wabenbau@gmail.com>:
>
> Are you sure that the HOME envar is defined for the "nologin-user"?
# getent passwd user
user:x:1018:1018::'/home/user:/sbin/nologin
# su -s /bin/bash user -c echo $HOME
I change $HOME in /home/user, but the script not executed.
> Is there a existing home directory defined in /etc/passwd for this
> user?
yes, and the mail-delivery to /home/user/.maildir ist ok, also the
access from roundcube is ok.
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [gentoo-user] executing a command as a nologin user
2016-07-12 1:47 [gentoo-user] executing a command as a nologin user jens w
2016-07-12 14:17 ` wabe
@ 2016-07-13 11:10 ` Alan McKinnon
2016-07-13 11:29 ` Fernando Rodriguez
1 sibling, 1 reply; 21+ messages in thread
From: Alan McKinnon @ 2016-07-13 11:10 UTC (permalink / raw
To: gentoo-user
On 12/07/2016 03:47, jens w wrote:
> .procmailrc
> :0 c
> * !^X-Loop: name@example.com
> | formail -X "From:" | $HOME/bin/script.sh
>
> procmail.log
> procmail: Executing " formail -X "From:" | $HOME/bin/script.sh
>
> for incoming mail, a script is executed. logfile has the same entry as
> it is in other users. but the script do nothing.
>
> How executing a command as a nologin user?
>
You can't, not the way you are doing it.
You want to launch a shell script for the user, but the user's shell is
/sbin/nologin. This exits immediately without launching the script.
Give the user a real shell.
Alan
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [gentoo-user] executing a command as a nologin user
2016-07-13 11:10 ` Alan McKinnon
@ 2016-07-13 11:29 ` Fernando Rodriguez
2016-07-13 16:42 ` wabe
2016-07-13 17:41 ` wabe
0 siblings, 2 replies; 21+ messages in thread
From: Fernando Rodriguez @ 2016-07-13 11:29 UTC (permalink / raw
To: gentoo-user
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 07/13/2016 07:10 AM, Alan McKinnon wrote:
> On 12/07/2016 03:47, jens w wrote:
>> .procmailrc
>> :0 c
>> * !^X-Loop: name@example.com
>> | formail -X "From:" | $HOME/bin/script.sh
>>
>> procmail.log
>> procmail: Executing " formail -X "From:" | $HOME/bin/script.sh
>>
>> for incoming mail, a script is executed. logfile has the same entry as
>> it is in other users. but the script do nothing.
>>
>> How executing a command as a nologin user?
>>
>
>
> You can't, not the way you are doing it.
> You want to launch a shell script for the user, but the user's shell is /sbin/nologin. This exits immediately without launching the script.
>
> Give the user a real shell.
>
> Alan
>
I've been following this thread and thinking the same thing but wasn't sure.
What if you invoke the shell directly instead of the script, either:
/bin/sh -c "<path to script>" or /bin/sh -c "$(cat <script>)"?
If procmail uses the system() call to launch the script it won't work but if it
uses fork()/exec() or similar I think that it should work.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJXhiYYAAoJEPbOFX/5Ulwcof0P/3KcoZ2vKh7cHoLdR7njoggC
L+4Qpe5Fjs1jM38SUq3RWfiSZrG4rmfmI38uBMQ1yLGN/fU5lhUsjlnLfxCdAYxu
AyoWiEdbFYKN/iIssLdxQgnPxQDmjKJzcVUEIZhJwz+xEV0bjM3eejX0UzjIgoM7
Bx2bqlBe010zva9uvE1msHxz/S7K8KetGBJt8RvXhpYJcQJuYLU3iKyNvBGzzKMx
0dkr0AybZHbgrGqgDCbkZzI9AOx7ydK0TEeeVrMmA/oFSkdJ5hAEhw2tnbt68Adb
2268/QLwswRQ5C5s6r3SRv+xcqaOixvZxjDTahAdEziz60+Gyyv03Edmeeio7rPg
/vCOMjdboTSGPRPKtOJXoHgIMh4aRqY6MA/hC8/h9WuVg9xJN0elCgef4XRN+sUR
GSxb59o2ITvzoxUqu19YmYerS1Ec4lIqdcrVLofHsRBXUNfYrQ73kYgha2YVaqp8
gicY8kKlCKUdztS7tFt+lk6oP1cJhXGj5vxdbncShr6BFWkB63CDb4NNPYGWgKOZ
ly1uZxznw1Stim6p+I2EkY5WsK82EUjmYohiIdW1La1jYc4P43eASrx6suvCXIS0
95cs6qcauFtv4V6wZwnzI2w2T2yHAjAGPvmIwtfn6SgYyE5il8TkrML/EX1n2pDO
5YTP9IuRZE92rOysBo3X
=IkJx
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [gentoo-user] executing a command as a nologin user
2016-07-13 11:29 ` Fernando Rodriguez
@ 2016-07-13 16:42 ` wabe
2016-07-13 16:50 ` Alan McKinnon
2016-07-13 17:41 ` wabe
1 sibling, 1 reply; 21+ messages in thread
From: wabe @ 2016-07-13 16:42 UTC (permalink / raw
To: gentoo-user
Fernando Rodriguez <cyklonite@gmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 07/13/2016 07:10 AM, Alan McKinnon wrote:
> > On 12/07/2016 03:47, jens w wrote:
> >> .procmailrc
> >> :0 c
> >> * !^X-Loop: name@example.com
> >> | formail -X "From:" | $HOME/bin/script.sh
> >>
> >> procmail.log
> >> procmail: Executing " formail -X "From:" | $HOME/bin/script.sh
> >>
> >> for incoming mail, a script is executed. logfile has the same
> >> entry as it is in other users. but the script do nothing.
> >>
> >> How executing a command as a nologin user?
> >>
> >
> >
> > You can't, not the way you are doing it.
> > You want to launch a shell script for the user, but the user's
> > shell is /sbin/nologin. This exits immediately without launching
> > the script.
> >
> > Give the user a real shell.
> >
> > Alan
> >
>
> I've been following this thread and thinking the same thing but
> wasn't sure.
I don't think so. To proof it, I created this user:
nologinuser:x:1015:1016::/home/nologinuser:/sbin/nologin
Then I created this script:
#!/bin/sh
#
date >> /home/nologinuser/envars.txt
echo $HOME >> /home/nologinuser/envars.txt
echo $PATH >> /home/nologinuser/envars.txt
echo "-----------------------" >> /home/nologinuser/envars.txt
I stored it as /var/script-nologinuser/testscript.sh. I had to store
it at this place because /home is mounted with the noexec option on
my system.
Then I created a cronjob for the nologinuser user:
*/2 * * * * /var/script-nologinuser/testscript.sh
The result is the file /home/nologinuser/envars.txt with this
content:
Wed Jul 13 18:10:01 CEST 2016
/home/nologinuser
/usr/bin:/bin
-----------------------
Wed Jul 13 18:12:01 CEST 2016
/home/nologinuser
/usr/bin:/bin
-----------------------
The ownership and the rights for /home/nologinuser/,
/var/script-nologinuser/ and /var/script-nologinuser/testscript.sh
are nologinuser:nologinuser and 700.
So it seems, that it is possible to execute scripts without setting
a shell in /etc/passwd.
I don't know why it doesn't work for jens w.
--
Regards
wabe
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [gentoo-user] executing a command as a nologin user
2016-07-13 16:42 ` wabe
@ 2016-07-13 16:50 ` Alan McKinnon
2016-07-13 17:05 ` wabe
0 siblings, 1 reply; 21+ messages in thread
From: Alan McKinnon @ 2016-07-13 16:50 UTC (permalink / raw
To: gentoo-user
On 13/07/2016 18:42, wabe wrote:
> Fernando Rodriguez <cyklonite@gmail.com> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> On 07/13/2016 07:10 AM, Alan McKinnon wrote:
>>> On 12/07/2016 03:47, jens w wrote:
>>>> .procmailrc
>>>> :0 c
>>>> * !^X-Loop: name@example.com
>>>> | formail -X "From:" | $HOME/bin/script.sh
>>>>
>>>> procmail.log
>>>> procmail: Executing " formail -X "From:" | $HOME/bin/script.sh
>>>>
>>>> for incoming mail, a script is executed. logfile has the same
>>>> entry as it is in other users. but the script do nothing.
>>>>
>>>> How executing a command as a nologin user?
>>>>
>>>
>>>
>>> You can't, not the way you are doing it.
>>> You want to launch a shell script for the user, but the user's
>>> shell is /sbin/nologin. This exits immediately without launching
>>> the script.
>>>
>>> Give the user a real shell.
>>>
>>> Alan
>>>
>>
>> I've been following this thread and thinking the same thing but
>> wasn't sure.
>
> I don't think so. To proof it, I created this user:
>
> nologinuser:x:1015:1016::/home/nologinuser:/sbin/nologin
>
> Then I created this script:
>
> #!/bin/sh
> #
> date >> /home/nologinuser/envars.txt
> echo $HOME >> /home/nologinuser/envars.txt
> echo $PATH >> /home/nologinuser/envars.txt
> echo "-----------------------" >> /home/nologinuser/envars.txt
>
> I stored it as /var/script-nologinuser/testscript.sh. I had to store
> it at this place because /home is mounted with the noexec option on
> my system.
>
>
> Then I created a cronjob for the nologinuser user:
>
> */2 * * * * /var/script-nologinuser/testscript.sh
>
>
> The result is the file /home/nologinuser/envars.txt with this
> content:
>
> Wed Jul 13 18:10:01 CEST 2016
> /home/nologinuser
> /usr/bin:/bin
> -----------------------
> Wed Jul 13 18:12:01 CEST 2016
> /home/nologinuser
> /usr/bin:/bin
> -----------------------
>
>
> The ownership and the rights for /home/nologinuser/,
> /var/script-nologinuser/ and /var/script-nologinuser/testscript.sh
> are nologinuser:nologinuser and 700.
>
> So it seems, that it is possible to execute scripts without setting
> a shell in /etc/passwd.
>
> I don't know why it doesn't work for jens w.
Not so. Your script is launched by cron, running as root. It starts a
non-interactive no-login shell (that's why people have infernal trouble
with cron, assuming it has a $PATH when it actually has none)
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [gentoo-user] executing a command as a nologin user
2016-07-13 16:50 ` Alan McKinnon
@ 2016-07-13 17:05 ` wabe
2016-07-13 20:41 ` Alan McKinnon
0 siblings, 1 reply; 21+ messages in thread
From: wabe @ 2016-07-13 17:05 UTC (permalink / raw
To: gentoo-user
Alan McKinnon <alan.mckinnon@gmail.com> wrote:
> On 13/07/2016 18:42, wabe wrote:
> > Fernando Rodriguez <cyklonite@gmail.com> wrote:
> >
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA256
> >>
> >> On 07/13/2016 07:10 AM, Alan McKinnon wrote:
> >>> On 12/07/2016 03:47, jens w wrote:
> >>>> .procmailrc
> >>>> :0 c
> >>>> * !^X-Loop: name@example.com
> >>>> | formail -X "From:" | $HOME/bin/script.sh
> >>>>
> >>>> procmail.log
> >>>> procmail: Executing " formail -X "From:" | $HOME/bin/script.sh
> >>>>
> >>>> for incoming mail, a script is executed. logfile has the same
> >>>> entry as it is in other users. but the script do nothing.
> >>>>
> >>>> How executing a command as a nologin user?
> >>>>
> >>>
> >>>
> >>> You can't, not the way you are doing it.
> >>> You want to launch a shell script for the user, but the user's
> >>> shell is /sbin/nologin. This exits immediately without launching
> >>> the script.
> >>>
> >>> Give the user a real shell.
> >>>
> >>> Alan
> >>>
> >>
> >> I've been following this thread and thinking the same thing but
> >> wasn't sure.
> >
> > I don't think so. To proof it, I created this user:
> >
> > nologinuser:x:1015:1016::/home/nologinuser:/sbin/nologin
> >
> > Then I created this script:
> >
> > #!/bin/sh
> > #
> > date >> /home/nologinuser/envars.txt
> > echo $HOME >> /home/nologinuser/envars.txt
> > echo $PATH >> /home/nologinuser/envars.txt
> > echo "-----------------------" >> /home/nologinuser/envars.txt
> >
> > I stored it as /var/script-nologinuser/testscript.sh. I had to store
> > it at this place because /home is mounted with the noexec option on
> > my system.
> >
> >
> > Then I created a cronjob for the nologinuser user:
> >
> > */2 * * * * /var/script-nologinuser/testscript.sh
> >
> >
> > The result is the file /home/nologinuser/envars.txt with this
> > content:
> >
> > Wed Jul 13 18:10:01 CEST 2016
> > /home/nologinuser
> > /usr/bin:/bin
> > -----------------------
> > Wed Jul 13 18:12:01 CEST 2016
> > /home/nologinuser
> > /usr/bin:/bin
> > -----------------------
> >
> >
> > The ownership and the rights for /home/nologinuser/,
> > /var/script-nologinuser/ and /var/script-nologinuser/testscript.sh
> > are nologinuser:nologinuser and 700.
> >
> > So it seems, that it is possible to execute scripts without setting
> > a shell in /etc/passwd.
> >
> > I don't know why it doesn't work for jens w.
>
>
> Not so. Your script is launched by cron, running as root. It starts a
> non-interactive no-login shell (that's why people have infernal
> trouble with cron, assuming it has a $PATH when it actually has none)
Ok, this seems to make sense. I did another test to make sure that
it works also when the script isn't executed directly by crontab.
I'm not sure if this is a real proof, because the "execution chain" is
started by cron.
I renamed /var/script-nologinuser/testscript.sh to
/var/script-nologinuser/testscript-2.sh and created a script
/var/script-nologinuser/testscript.sh with this content:
#!/bin/sh
#
/var/script-nologinuser/testscript-2.sh
It also worked.
--
Regards
wabe
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [gentoo-user] executing a command as a nologin user
2016-07-13 11:29 ` Fernando Rodriguez
2016-07-13 16:42 ` wabe
@ 2016-07-13 17:41 ` wabe
2016-07-14 21:19 ` Fernando Rodriguez
1 sibling, 1 reply; 21+ messages in thread
From: wabe @ 2016-07-13 17:41 UTC (permalink / raw
To: gentoo-user
Fernando Rodriguez <cyklonite@gmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 07/13/2016 07:10 AM, Alan McKinnon wrote:
> > On 12/07/2016 03:47, jens w wrote:
> >> .procmailrc
> >> :0 c
> >> * !^X-Loop: name@example.com
> >> | formail -X "From:" | $HOME/bin/script.sh
> >>
> >> procmail.log
> >> procmail: Executing " formail -X "From:" | $HOME/bin/script.sh
> >>
> >> for incoming mail, a script is executed. logfile has the same
> >> entry as it is in other users. but the script do nothing.
> >>
> >> How executing a command as a nologin user?
> >>
> >
> >
> > You can't, not the way you are doing it.
> > You want to launch a shell script for the user, but the user's
> > shell is /sbin/nologin. This exits immediately without launching
> > the script.
> >
> > Give the user a real shell.
> >
> > Alan
> >
>
> I've been following this thread and thinking the same thing but
> wasn't sure.
>
> What if you invoke the shell directly instead of the script, either:
> /bin/sh -c "<path to script>" or /bin/sh -c "$(cat <script>)"?
>
> If procmail uses the system() call to launch the script it won't work
> but if it uses fork()/exec() or similar I think that it should work.
I don't know how procmail is launching scripts so I don't know if
that what I say now makes sense. :-)
I tested if another regular user (lets call him user1) can execute
scripts that are owned by nologinuser. It works as long as the path
and the script itself are readable and executable by user1.
If the script is writing stuff into /home/nologinuser then it is
also necessary that the home directory is writable by user1.
Of course user1 hasn't executed the script as nologinuser. I don't
know if procmail is doing so.
--
Regards
wabe
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [gentoo-user] executing a command as a nologin user
2016-07-13 17:05 ` wabe
@ 2016-07-13 20:41 ` Alan McKinnon
0 siblings, 0 replies; 21+ messages in thread
From: Alan McKinnon @ 2016-07-13 20:41 UTC (permalink / raw
To: gentoo-user
On 13/07/2016 19:05, wabe wrote:
> Alan McKinnon <alan.mckinnon@gmail.com> wrote:
>
>> On 13/07/2016 18:42, wabe wrote:
>>> Fernando Rodriguez <cyklonite@gmail.com> wrote:
>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA256
>>>>
>>>> On 07/13/2016 07:10 AM, Alan McKinnon wrote:
>>>>> On 12/07/2016 03:47, jens w wrote:
>>>>>> .procmailrc
>>>>>> :0 c
>>>>>> * !^X-Loop: name@example.com
>>>>>> | formail -X "From:" | $HOME/bin/script.sh
>>>>>>
>>>>>> procmail.log
>>>>>> procmail: Executing " formail -X "From:" | $HOME/bin/script.sh
>>>>>>
>>>>>> for incoming mail, a script is executed. logfile has the same
>>>>>> entry as it is in other users. but the script do nothing.
>>>>>>
>>>>>> How executing a command as a nologin user?
>>>>>>
>>>>>
>>>>>
>>>>> You can't, not the way you are doing it.
>>>>> You want to launch a shell script for the user, but the user's
>>>>> shell is /sbin/nologin. This exits immediately without launching
>>>>> the script.
>>>>>
>>>>> Give the user a real shell.
>>>>>
>>>>> Alan
>>>>>
>>>>
>>>> I've been following this thread and thinking the same thing but
>>>> wasn't sure.
>>>
>>> I don't think so. To proof it, I created this user:
>>>
>>> nologinuser:x:1015:1016::/home/nologinuser:/sbin/nologin
>>>
>>> Then I created this script:
>>>
>>> #!/bin/sh
>>> #
>>> date >> /home/nologinuser/envars.txt
>>> echo $HOME >> /home/nologinuser/envars.txt
>>> echo $PATH >> /home/nologinuser/envars.txt
>>> echo "-----------------------" >> /home/nologinuser/envars.txt
>>>
>>> I stored it as /var/script-nologinuser/testscript.sh. I had to store
>>> it at this place because /home is mounted with the noexec option on
>>> my system.
>>>
>>>
>>> Then I created a cronjob for the nologinuser user:
>>>
>>> */2 * * * * /var/script-nologinuser/testscript.sh
>>>
>>>
>>> The result is the file /home/nologinuser/envars.txt with this
>>> content:
>>>
>>> Wed Jul 13 18:10:01 CEST 2016
>>> /home/nologinuser
>>> /usr/bin:/bin
>>> -----------------------
>>> Wed Jul 13 18:12:01 CEST 2016
>>> /home/nologinuser
>>> /usr/bin:/bin
>>> -----------------------
>>>
>>>
>>> The ownership and the rights for /home/nologinuser/,
>>> /var/script-nologinuser/ and /var/script-nologinuser/testscript.sh
>>> are nologinuser:nologinuser and 700.
>>>
>>> So it seems, that it is possible to execute scripts without setting
>>> a shell in /etc/passwd.
>>>
>>> I don't know why it doesn't work for jens w.
>>
>>
>> Not so. Your script is launched by cron, running as root. It starts a
>> non-interactive no-login shell (that's why people have infernal
>> trouble with cron, assuming it has a $PATH when it actually has none)
>
> Ok, this seems to make sense. I did another test to make sure that
> it works also when the script isn't executed directly by crontab.
> I'm not sure if this is a real proof, because the "execution chain" is
> started by cron.
>
> I renamed /var/script-nologinuser/testscript.sh to
> /var/script-nologinuser/testscript-2.sh and created a script
> /var/script-nologinuser/testscript.sh with this content:
>
> #!/bin/sh
> #
> /var/script-nologinuser/testscript-2.sh
>
>
> It also worked.
I think in that circumstance, cron forks and execs an sh process in a
non-interactive non-login shell, so it works out OK.
Now to get procmail to do the same
Alan
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [gentoo-user] executing a command as a nologin user
2016-07-13 17:41 ` wabe
@ 2016-07-14 21:19 ` Fernando Rodriguez
2016-07-15 1:36 ` [gentoo-user] " Jonathan Callen
0 siblings, 1 reply; 21+ messages in thread
From: Fernando Rodriguez @ 2016-07-14 21:19 UTC (permalink / raw
To: gentoo-user
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 07/13/2016 01:41 PM, wabe wrote:
> Fernando Rodriguez <cyklonite@gmail.com> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> On 07/13/2016 07:10 AM, Alan McKinnon wrote:
>>> On 12/07/2016 03:47, jens w wrote:
>>>> .procmailrc
>>>> :0 c
>>>> * !^X-Loop: name@example.com
>>>> | formail -X "From:" | $HOME/bin/script.sh
>>>>
>>>> procmail.log
>>>> procmail: Executing " formail -X "From:" | $HOME/bin/script.sh
>>>>
>>>> for incoming mail, a script is executed. logfile has the same
>>>> entry as it is in other users. but the script do nothing.
>>>>
>>>> How executing a command as a nologin user?
>>>>
>>>
>>>
>>> You can't, not the way you are doing it.
>>> You want to launch a shell script for the user, but the user's
>>> shell is /sbin/nologin. This exits immediately without launching
>>> the script.
>>>
>>> Give the user a real shell.
>>>
>>> Alan
>>>
>>
>> I've been following this thread and thinking the same thing but
>> wasn't sure.
>>
>> What if you invoke the shell directly instead of the script, either:
>> /bin/sh -c "<path to script>" or /bin/sh -c "$(cat <script>)"?
>>
>> If procmail uses the system() call to launch the script it won't work
>> but if it uses fork()/exec() or similar I think that it should work.
>
> I don't know how procmail is launching scripts so I don't know if
> that what I say now makes sense. :-)
>
> I tested if another regular user (lets call him user1) can execute
> scripts that are owned by nologinuser. It works as long as the path
> and the script itself are readable and executable by user1.
> If the script is writing stuff into /home/nologinuser then it is
> also necessary that the home directory is writable by user1.
>
> Of course user1 hasn't executed the script as nologinuser. I don't
> know if procmail is doing so.
>
> --
> Regards
> wabe
>
Yes, you can execute any scripts as long as you have permissions. A program
can use the exec() family of functions to do that. But if the program calls
the system() function or similar it will try to use the user shell to execute
the command. If the shell is nologin it will refuse to do so.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJXiAHpAAoJEPbOFX/5UlwciFIQAIjuF7FyCK5LSfJDuaF9TD4F
nCDABuUVQzfAKX6EneNu40EPWsgs86xFjJqOI1tDAjC0lBWzKIZnX72fR/vSylHP
qCTPCNJzFCaZ6ofjcUFfwtFDLxR2esgyCD4YUxHkQlATutzmx9kPwT/j7nxOILr0
udGYZVxJqfLLm6KL4NHOYwBe2rMMlXVQpwLoqfGffVJnJpQokZfYhgNYOaibvtMz
K8rO+9EqD4w6JBiRZOI2LVZ/+mCz/jwrLPToNaeENI2M9+kzzRalOecbQkghDSvT
rCHdgllPQJlL88I1ZaBIYcL9cbuWKrwxQDjpF5WtOlD/E9GBT4pI2IaDvIyCBCrb
lo3gWxxwZUHhIY491Y0f+BxsFsf8K2isu3I98+1zIhAXyDV5RKQGnHeRfdt0dpLs
YVko24UHw4MV+6byC1pgQ3NUHgq/tQ4adzLJRnxuPq6qxVdyCcs1IQglqLfvUGFV
H6EaJNFhOP9SyGtlAIBBCD3rRnLeWHKM01hcm2uUqgpH7WujWekTY1Mv8HOesXTd
htpvRaC8DghUz6rxK7+qsX5fm+FTQmx8v9yrPFLUvMmkdsiLUEZJfgySwlvYoBIg
7JHpPSI5lASuGkYoDA2mExPZmVKdmHBH2rMbrrZzEun5FFJMsPNa0yevcfs1XHdJ
GOAGe/y4+oMib0gkFKde
=T1mF
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 21+ messages in thread
* [gentoo-user] Re: executing a command as a nologin user
2016-07-14 21:19 ` Fernando Rodriguez
@ 2016-07-15 1:36 ` Jonathan Callen
2016-07-15 13:45 ` Fernando Rodriguez
0 siblings, 1 reply; 21+ messages in thread
From: Jonathan Callen @ 2016-07-15 1:36 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1.1: Type: text/plain, Size: 2686 bytes --]
On 07/14/2016 05:19 PM, Fernando Rodriguez wrote:
> On 07/13/2016 01:41 PM, wabe wrote:
>> Fernando Rodriguez <cyklonite@gmail.com> wrote:
>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA256
>>>
>>> On 07/13/2016 07:10 AM, Alan McKinnon wrote:
>>>> On 12/07/2016 03:47, jens w wrote:
>>>>> .procmailrc
>>>>> :0 c
>>>>> * !^X-Loop: name@example.com
>>>>> | formail -X "From:" | $HOME/bin/script.sh
>>>>>
>>>>> procmail.log
>>>>> procmail: Executing " formail -X "From:" | $HOME/bin/script.sh
>>>>>
>>>>> for incoming mail, a script is executed. logfile has the same
>>>>> entry as it is in other users. but the script do nothing.
>>>>>
>>>>> How executing a command as a nologin user?
>>>>>
>>>>
>>>>
>>>> You can't, not the way you are doing it.
>>>> You want to launch a shell script for the user, but the user's
>>>> shell is /sbin/nologin. This exits immediately without launching
>>>> the script.
>>>>
>>>> Give the user a real shell.
>>>>
>>>> Alan
>>>>
>>>
>>> I've been following this thread and thinking the same thing but
>>> wasn't sure.
>>>
>>> What if you invoke the shell directly instead of the script, either:
>>> /bin/sh -c "<path to script>" or /bin/sh -c "$(cat <script>)"?
>>>
>>> If procmail uses the system() call to launch the script it won't work
>>> but if it uses fork()/exec() or similar I think that it should work.
>
>> I don't know how procmail is launching scripts so I don't know if
>> that what I say now makes sense. :-)
>
>> I tested if another regular user (lets call him user1) can execute
>> scripts that are owned by nologinuser. It works as long as the path
>> and the script itself are readable and executable by user1.
>> If the script is writing stuff into /home/nologinuser then it is
>> also necessary that the home directory is writable by user1.
>
>> Of course user1 hasn't executed the script as nologinuser. I don't
>> know if procmail is doing so.
>
>> --
>> Regards
>> wabe
>
>
> Yes, you can execute any scripts as long as you have permissions. A program
> can use the exec() family of functions to do that. But if the program calls
> the system() function or similar it will try to use the user shell to execute
> the command. If the shell is nologin it will refuse to do so.
>
>
That's not actually true either. The system(3) function is defined to
create a child process using fork(2), then execute the specified command
using execl(3) as follows:
execl("/bin/sh", "sh", "-c", command, (char *) 0);
Note that this is not dependent on the user's normal shell, the shell
/bin/sh is *always* used.
--
Jonathan Callen
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 847 bytes --]
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [gentoo-user] Re: executing a command as a nologin user
2016-07-15 1:36 ` [gentoo-user] " Jonathan Callen
@ 2016-07-15 13:45 ` Fernando Rodriguez
2016-07-15 14:20 ` Fernando Rodriguez
0 siblings, 1 reply; 21+ messages in thread
From: Fernando Rodriguez @ 2016-07-15 13:45 UTC (permalink / raw
To: gentoo-user
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 07/14/2016 09:36 PM, Jonathan Callen wrote:
> On 07/14/2016 05:19 PM, Fernando Rodriguez wrote:
>> On 07/13/2016 01:41 PM, wabe wrote:
>>> Fernando Rodriguez <cyklonite@gmail.com> wrote:
>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA256
>>>>
>>>> On 07/13/2016 07:10 AM, Alan McKinnon wrote:
>>>>> On 12/07/2016 03:47, jens w wrote:
>>>>>> .procmailrc
>>>>>> :0 c
>>>>>> * !^X-Loop: name@example.com
>>>>>> | formail -X "From:" | $HOME/bin/script.sh
>>>>>>
>>>>>> procmail.log
>>>>>> procmail: Executing " formail -X "From:" | $HOME/bin/script.sh
>>>>>>
>>>>>> for incoming mail, a script is executed. logfile has the same
>>>>>> entry as it is in other users. but the script do nothing.
>>>>>>
>>>>>> How executing a command as a nologin user?
>>>>>>
>>>>>
>>>>>
>>>>> You can't, not the way you are doing it.
>>>>> You want to launch a shell script for the user, but the user's
>>>>> shell is /sbin/nologin. This exits immediately without launching
>>>>> the script.
>>>>>
>>>>> Give the user a real shell.
>>>>>
>>>>> Alan
>>>>>
>>>>
>>>> I've been following this thread and thinking the same thing but
>>>> wasn't sure.
>>>>
>>>> What if you invoke the shell directly instead of the script, either:
>>>> /bin/sh -c "<path to script>" or /bin/sh -c "$(cat <script>)"?
>>>>
>>>> If procmail uses the system() call to launch the script it won't work
>>>> but if it uses fork()/exec() or similar I think that it should work.
>>
>>> I don't know how procmail is launching scripts so I don't know if
>>> that what I say now makes sense. :-)
>>
>>> I tested if another regular user (lets call him user1) can execute
>>> scripts that are owned by nologinuser. It works as long as the path
>>> and the script itself are readable and executable by user1.
>>> If the script is writing stuff into /home/nologinuser then it is
>>> also necessary that the home directory is writable by user1.
>>
>>> Of course user1 hasn't executed the script as nologinuser. I don't
>>> know if procmail is doing so.
>>
>>> --
>>> Regards
>>> wabe
>>
>>
>> Yes, you can execute any scripts as long as you have permissions. A program
>> can use the exec() family of functions to do that. But if the program calls
>> the system() function or similar it will try to use the user shell to execute
>> the command. If the shell is nologin it will refuse to do so.
>>
>>
>
> That's not actually true either. The system(3) function is defined to
> create a child process using fork(2), then execute the specified command
> using execl(3) as follows:
>
> execl("/bin/sh", "sh", "-c", command, (char *) 0);
>
> Note that this is not dependent on the user's normal shell, the shell
> /bin/sh is *always* used.
>
You're right thanks.
And I checked procmail and it tries execvp() first and if that fails it execv()s
/bin/sh with the command as arguments so we're probably barking at the wrong tree.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJXiOjwAAoJEPbOFX/5Ulwcf80P/3LJFslEB61WnSGBaHmdQT44
AjOi7n1FNQcd4voEplIXR3uHsmwThVe8auea9rcJLPuqBqFeNY0U0ZoNzYxFIzi2
WwmKVVghpyy0dRK/pjup/iaeoYK0cn6lV8GUYIZHOUBgJGXz7RyXDlDHB9/7TXcD
f2KDtlB3oQM4FhWMjW4dozlXdAat/djKQamWx5bpLYDtxkegU8BYuKAr11bvF1C4
j6i8DModMe9hHEOpRD81qIk3GmL92z4D75mqe2adZbQBVQ/1WJJ0/P0oyEa+CHcg
b68yeP3ZoKoByUJ+lvxQz87tsFo3r45pgkLjk1pWTWaYZ+hymINnR6RFSYZdfJ2M
XOFlznnava1ntqVSPGOm96uCyF9/V7pa1vHrOBkUo9wMAYNKb+EV+jIA88YmygBv
JaI8Kw0LAfrDEsdDQT9B2rP66AVLQwkqhaYK0a4hyfqNWUaoGEgBbFxq1J3Q9kKa
1q0aD3KYXZgbJJKkLzCxKNN/PThzw9Cm3wfYn5KdYh1Qlc/11N2pJwmf3XFH1rfx
wRpetQf5ygyK9Dqy6QVduIM4aJu4KTM+ybEpANagtx231HL9pSGa9BdEbAkwF4qJ
SIqCpYEEDnXHbC7xHalAebMCmqHwGdugKTAyeu3ch2z9LEQmDG4+/Z2Gb9jasZOz
C4hrOWmbMCr4atkiwWyH
=cfEk
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [gentoo-user] executing a command as a nologin user
2016-07-13 10:31 ` jens w
@ 2016-07-15 13:50 ` Fernando Rodriguez
0 siblings, 0 replies; 21+ messages in thread
From: Fernando Rodriguez @ 2016-07-15 13:50 UTC (permalink / raw
To: gentoo-user
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 07/13/2016 06:31 AM, jens w wrote:
> Am Wed, 13 Jul 2016 03:02:50 +0200
> schrieb wabe <wabenbau@gmail.com>:
>
>>
>> Are you sure that the HOME envar is defined for the "nologin-user"?
>
> # getent passwd user
> user:x:1018:1018::'/home/user:/sbin/nologin
> # su -s /bin/bash user -c echo $HOME
>
>
> I change $HOME in /home/user, but the script not executed.
>
>> Is there a existing home directory defined in /etc/passwd for this
>> user?
>
> yes, and the mail-delivery to /home/user/.maildir ist ok, also the
> access from roundcube is ok.
>
Have you tried giving that user a regular shell without changing anything
else? and it works?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJXiOo/AAoJEPbOFX/5Ulwcj4oP/RQ5D75FNlJjD3zCcWgvGuT9
M7A34R/YKYszPckOKtQl2+Kc4kzZlO9zXBeFUUSoUZFCSiGZI4RkYpo9zZZXEimW
X1+XHcw4noeoqSj0iX9cGX8p8WZFPz8sj7Ui/raaxdEx5rVt8PySz1jvpCtvunS8
ieLZVmLoOkmDQKHMFx/VpdpSkiD+tH/Y4eb8tgNF3jzf8ODv1u2YjER5WpbFKS/m
vJCKcChbA6nahvk9RCcOthY8SMgR6/VPQSF6SiXHCgNPBgA8zBW9qDrVywpvYoOu
pMF/8U3TdljnrkP3BLrZd0+FyK09992wXSXq3s1Y2cw77FevF3yIuDfefI57t/BS
HfYpKSsWEB5ephaabZi93l0Op9doctAYOQXoJz6L6x/F6RB4eYIHMfXo7mHfYXvx
bBDrYsgpm0zTK44NQbYsrzBHrfKagOCgKIyKgrfkn4VMMap5Rtwa2FIW3LngHdOO
l7BHT0LnMPyT+ieTVkguOcD07THPfWGuONbALHIaTbY10AQyFgvfEY1E6378vETT
LjbC0BPfXOisXlt6nhInJ4prpTrAyZlw57lSzuWE41PO4DCEn+PCmz0tISNpZ4Fk
ML7X9G+WF2fk4MK9MBEeMbWhQ8A2V2K7+AK4FOM2bI2abCsRktWxAYm9J0Bgu1IM
XqDlm1IWPrH5BZvJfIae
=sSxt
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [gentoo-user] Re: executing a command as a nologin user
2016-07-15 13:45 ` Fernando Rodriguez
@ 2016-07-15 14:20 ` Fernando Rodriguez
0 siblings, 0 replies; 21+ messages in thread
From: Fernando Rodriguez @ 2016-07-15 14:20 UTC (permalink / raw
To: gentoo-user
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 07/15/2016 09:45 AM, Fernando Rodriguez wrote:
> On 07/14/2016 09:36 PM, Jonathan Callen wrote:
>> On 07/14/2016 05:19 PM, Fernando Rodriguez wrote:
>>> On 07/13/2016 01:41 PM, wabe wrote:
>>>> Fernando Rodriguez <cyklonite@gmail.com> wrote:
>>>
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA256
>>>>>
>>>>> On 07/13/2016 07:10 AM, Alan McKinnon wrote:
>>>>>> On 12/07/2016 03:47, jens w wrote:
>>>>>>> .procmailrc
>>>>>>> :0 c
>>>>>>> * !^X-Loop: name@example.com
>>>>>>> | formail -X "From:" | $HOME/bin/script.sh
>>>>>>>
>>>>>>> procmail.log
>>>>>>> procmail: Executing " formail -X "From:" | $HOME/bin/script.sh
>>>>>>>
>>>>>>> for incoming mail, a script is executed. logfile has the same
>>>>>>> entry as it is in other users. but the script do nothing.
>>>>>>>
>>>>>>> How executing a command as a nologin user?
>>>>>>>
>>>>>>
>>>>>>
>>>>>> You can't, not the way you are doing it.
>>>>>> You want to launch a shell script for the user, but the user's
>>>>>> shell is /sbin/nologin. This exits immediately without launching
>>>>>> the script.
>>>>>>
>>>>>> Give the user a real shell.
>>>>>>
>>>>>> Alan
>>>>>>
>>>>>
>>>>> I've been following this thread and thinking the same thing but
>>>>> wasn't sure.
>>>>>
>>>>> What if you invoke the shell directly instead of the script, either:
>>>>> /bin/sh -c "<path to script>" or /bin/sh -c "$(cat <script>)"?
>>>>>
>>>>> If procmail uses the system() call to launch the script it won't work
>>>>> but if it uses fork()/exec() or similar I think that it should work.
>>>
>>>> I don't know how procmail is launching scripts so I don't know if
>>>> that what I say now makes sense. :-)
>>>
>>>> I tested if another regular user (lets call him user1) can execute
>>>> scripts that are owned by nologinuser. It works as long as the path
>>>> and the script itself are readable and executable by user1.
>>>> If the script is writing stuff into /home/nologinuser then it is
>>>> also necessary that the home directory is writable by user1.
>>>
>>>> Of course user1 hasn't executed the script as nologinuser. I don't
>>>> know if procmail is doing so.
>>>
>>>> --
>>>> Regards
>>>> wabe
>>>
>>>
>>> Yes, you can execute any scripts as long as you have permissions. A program
>>> can use the exec() family of functions to do that. But if the program calls
>>> the system() function or similar it will try to use the user shell to execute
>>> the command. If the shell is nologin it will refuse to do so.
>>>
>>>
>
>> That's not actually true either. The system(3) function is defined to
>> create a child process using fork(2), then execute the specified command
>> using execl(3) as follows:
>
>> execl("/bin/sh", "sh", "-c", command, (char *) 0);
>
>> Note that this is not dependent on the user's normal shell, the shell
>> /bin/sh is *always* used.
>
>
> You're right thanks.
> And I checked procmail and it tries execvp() first and if that fails it execv()s
> /bin/sh with the command as arguments so we're probably barking at the wrong tree.
Ah, procmail does the shell lookup.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJXiPEYAAoJEPbOFX/5UlwcVdkP/3niV4rI6o1Eas+VklF3l8ai
lRab+/2Y0auPofSYYwYiVeKtB+bB4YsYObgSBy9bsLUEJR5vKLaOoGJG1xEHUhXR
BJh/CBOcT8/YcvewjfBwCIagBRPlFk9tniIqzmJXQ611ABGHrXokwQ08znLNylsO
rEJShDWEXshQedrUah6Im0dwkiWRTieCttmYBsOQdrPFlRohtA1tdD43AmxYkjV0
2+Z2iN4y7nPJ3zgD0sIDT9AqdoMuZRGBYwHGsrQw8Z1SnWuqUD2jO34uzJVfy3O5
0YfnB/xCa9h+0kSfOSbqoAwQaJTCQp0Pp13/Ltt9yug7gwa1dHUqVkZDrA0KPcAF
GouibkkpxvLSF3bgabHnox6FDgcn5bv7zOUf3gkVlb01gKO+DHqWXybD7WwS+O2w
TFInvY2RaYcCnzdL5rRj3arrPC4aYle3EruRSef6RoMt3SHcOm1Fk4lt6MN8bwya
5romAct/HIVrRrCdMs11SjhkjRe/fxckOvyiGb0em24qapFSt5x3+UeARcFP/Rsz
zkN5b5j2ouCQ4TJ+7wdW6ZnXBuidUZNCqgQyN8uCq8z+GTMD1X1PPmXPhJcmH5Qc
mXM5YrQZOgE1IYJgnHW12YlIngWteHQYrIuoUjfYpjuG0tgBq+VrOTwIeVj2Ggbu
fkPFWbp9/8/o3vo0nTmW
=N2X8
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 21+ messages in thread
end of thread, other threads:[~2016-07-15 14:19 UTC | newest]
Thread overview: 21+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-07-12 1:47 [gentoo-user] executing a command as a nologin user jens w
2016-07-12 14:17 ` wabe
2016-07-12 20:39 ` jens w
2016-07-12 20:54 ` Neil Bothwick
2016-07-12 21:51 ` jens w
2016-07-12 20:59 ` Alan McKinnon
2016-07-12 21:58 ` jens w
2016-07-13 1:02 ` wabe
2016-07-13 10:31 ` jens w
2016-07-15 13:50 ` Fernando Rodriguez
2016-07-13 11:10 ` Alan McKinnon
2016-07-13 11:29 ` Fernando Rodriguez
2016-07-13 16:42 ` wabe
2016-07-13 16:50 ` Alan McKinnon
2016-07-13 17:05 ` wabe
2016-07-13 20:41 ` Alan McKinnon
2016-07-13 17:41 ` wabe
2016-07-14 21:19 ` Fernando Rodriguez
2016-07-15 1:36 ` [gentoo-user] " Jonathan Callen
2016-07-15 13:45 ` Fernando Rodriguez
2016-07-15 14:20 ` Fernando Rodriguez
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox