Re: [gentoo-user] Re: executing a command as a nologin user

[Fernando Rodriguez <cyklonite@gmail.com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 07/14/2016 09:36 PM, Jonathan Callen wrote:
> On 07/14/2016 05:19 PM, Fernando Rodriguez wrote:
>> On 07/13/2016 01:41 PM, wabe wrote:
>>> Fernando Rodriguez <cyklonite@gmail.com> wrote:
>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA256
>>>>
>>>> On 07/13/2016 07:10 AM, Alan McKinnon wrote:
>>>>> On 12/07/2016 03:47, jens w wrote:  
>>>>>> .procmailrc
>>>>>> :0 c
>>>>>> * !^X-Loop: name@example.com  
>>>>>> | formail -X "From:" | $HOME/bin/script.sh  
>>>>>>
>>>>>> procmail.log
>>>>>> procmail: Executing " formail -X "From:" | $HOME/bin/script.sh
>>>>>>
>>>>>> for incoming mail, a script is executed. logfile has the same
>>>>>> entry as it is in other users. but the script do nothing.
>>>>>>
>>>>>> How executing a command as a nologin user?
>>>>>>  
>>>>>
>>>>>
>>>>> You can't, not the way you are doing it.
>>>>> You want to launch a shell script for the user, but the user's
>>>>> shell is /sbin/nologin. This exits immediately without launching
>>>>> the script.
>>>>>
>>>>> Give the user a real shell.
>>>>>
>>>>> Alan
>>>>>   
>>>>
>>>> I've been following this thread and thinking the same thing but
>>>> wasn't sure.
>>>>
>>>> What if you invoke the shell directly instead of the script, either:
>>>> /bin/sh -c "<path to script>" or /bin/sh -c "$(cat <script>)"?
>>>>
>>>> If procmail uses the system() call to launch the script it won't work
>>>> but if it uses fork()/exec() or similar I think that it should work.
>>
>>> I don't know how procmail is launching scripts so I don't know if
>>> that what I say now makes sense. :-)
>>
>>> I tested if another regular user (lets call him user1) can execute 
>>> scripts that are owned by nologinuser. It works as long as the path 
>>> and the script itself are readable and executable by user1.
>>> If the script is writing stuff into /home/nologinuser then it is
>>> also necessary that the home directory is writable by user1.
>>
>>> Of course user1 hasn't executed the script as nologinuser. I don't
>>> know if procmail is doing so.
>>
>>> --
>>> Regards
>>> wabe
>>
>>
>> Yes, you can execute any scripts as long as you have permissions. A program
>> can use the exec() family of functions to do that. But if the program calls
>> the system() function or similar it will try to use the user shell to execute
>> the command. If the shell is nologin it will refuse to do so.
>>
>>
> 
> That's not actually true either.  The system(3) function is defined to
> create a child process using fork(2), then execute the specified command
> using execl(3) as follows:
> 
>     execl("/bin/sh", "sh", "-c", command, (char *) 0);
> 
> Note that this is not dependent on the user's normal shell, the shell
> /bin/sh is *always* used.
> 

You're right thanks.
And I checked procmail and it tries execvp() first and if that fails it execv()s 
/bin/sh with the command as arguments so we're probably barking at the wrong tree.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJXiOjwAAoJEPbOFX/5Ulwcf80P/3LJFslEB61WnSGBaHmdQT44
AjOi7n1FNQcd4voEplIXR3uHsmwThVe8auea9rcJLPuqBqFeNY0U0ZoNzYxFIzi2
WwmKVVghpyy0dRK/pjup/iaeoYK0cn6lV8GUYIZHOUBgJGXz7RyXDlDHB9/7TXcD
f2KDtlB3oQM4FhWMjW4dozlXdAat/djKQamWx5bpLYDtxkegU8BYuKAr11bvF1C4
j6i8DModMe9hHEOpRD81qIk3GmL92z4D75mqe2adZbQBVQ/1WJJ0/P0oyEa+CHcg
b68yeP3ZoKoByUJ+lvxQz87tsFo3r45pgkLjk1pWTWaYZ+hymINnR6RFSYZdfJ2M
XOFlznnava1ntqVSPGOm96uCyF9/V7pa1vHrOBkUo9wMAYNKb+EV+jIA88YmygBv
JaI8Kw0LAfrDEsdDQT9B2rP66AVLQwkqhaYK0a4hyfqNWUaoGEgBbFxq1J3Q9kKa
1q0aD3KYXZgbJJKkLzCxKNN/PThzw9Cm3wfYn5KdYh1Qlc/11N2pJwmf3XFH1rfx
wRpetQf5ygyK9Dqy6QVduIM4aJu4KTM+ybEpANagtx231HL9pSGa9BdEbAkwF4qJ
SIqCpYEEDnXHbC7xHalAebMCmqHwGdugKTAyeu3ch2z9LEQmDG4+/Z2Gb9jasZOz
C4hrOWmbMCr4atkiwWyH
=cfEk
-----END PGP SIGNATURE-----