Re: Running Cyrus Imap under a different user

[Gabriele Bulfon <gbulfon@xxxxxxxxxxx>]

The system is a Scientific Linux.

The imapd process just tries to exec and then fails and exit, as you can see from the log.
This happens on any process that master tries to execv (e.g. ctl_cyrusdb,imapd and s on).
Reading around, looks like execv brings all the parent environment, but not LD_LIBRARY_PATH,
for some security reason....

In my case, to be sure that my daemons always run my own versions of the libraries, I just
compiled BerkeleyDB from sources, into my /sonicle/lib.
Then I compiled cyrus against it.
Problem is, if I bring my prebuilt package into another system, and this system has different
versions of my libraries into /usr/lib, execv calls will link into the system ones, not mine...
There must be a way to have everything link into my environement... :(

-= Mail sent through WebTop2 =-

----------------------------------------------------------------------------------

Da: Simon Matter <simon.matter@xxxxxxxxx>
A: Gabriele Bulfon <gbulfon@xxxxxxxxxxx>
Cc: Clement Hermann (nodens) <nodens2099@xxxxxxxxx> info-cyrus@xxxxxxxxxxxxxxxxxxxx
Data: 4 novembre 2010 9.50.00 CET
Oggetto: Re: Running Cyrus Imap under a different user

> Thanx, here is the output of master proc, and it looks it has all the
> needed environment:
> =================================================================================
> [sonicle@sl imap]$ ps -ef | fgrep master
> root 3370 1 0 09:26 pts/1 00:00:00 sh /sonicle/scripts/envrun
> /sonicle/bin/master -C /sonicle/etc/imapd.conf -M /sonicle/etc/cyrus.conf
> -p /sonicle/var/run/cyrus-master.pid
> sonicle 3372 3370 0 09:26 pts/1 00:00:00 /sonicle/bin/master -C
> /sonicle/etc/imapd.conf -M /sonicle/etc/cyrus.conf -p
> /sonicle/var/run/cyrus-master.pid
> sonicle 3381 2555 0 09:26 pts/1 00:00:00 fgrep master
> [sonicle@sl imap]$ strings /proc/3372/environ
> strings: /proc/3372/environ: Permission denied
> [sonicle@sl imap]$ sudo strings /proc/3372/environ
> LDFLAGS=-L/sonicle/lib
> MANPATH=/sonicle/man:/sonicle/ssl/man:
> HOSTNAME=sl.sonicle.com
> SHELL=/bin/bash
> TERM=xterm
> HISTSIZE=1000
> CPPFLAGS=-I/sonicle/include
> USER=root
> LD_LIBRARY_PATH=/sonicle/lib:

I don't know if it hurts but that should really be
LD_LIBRARY_PATH=/sonicle/lib

> LS_COLORSo=00:fi=00:di=01;34:ln=00;36:pi=40;33:so=00;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=00;32:*.cmd=00;32:*.exe=00;32:*.com=00;32:*.btm=00;32:*.bat=00;32:*.sh=00;32:*.csh=00;32:*.tar=00;31:*.tgz=00;31:*.arj=00;31:*.taz=00;31:*.lzh=00;31:*.zip=00;31:*.z=00;31:*.Z=00;31:*.gz=00;31:*.bz2=00;31:*.bz=00;31:*.tz=00;31:*.rpm=00;31:*.cpio=00;31:*.jpg=00;35:*.gif=00;35:*.bmp=00;35:*.xbm=00;35:*.xpm=00;35:*.png=00;35:*.tif=00;35:
> SUDO_USER=sonicle
> SUDO_UID=501
> CXXFLAGS=-I/sonicle/include
> USERNAME=root
> PATH=/sonicle/scripts:/sonicle/sbin:/sonicle/java/bin:/sonicle/bin:/sonicle/bacula/etc:/sonicle/mysql/bin:/usr/bin:/bin
> MAIL=/var/spool/mail/sonicle
> SUDO=sudo
> PWD=/sonicle/var/log/imap
> INPUTRC=/etc/inputrc
> LANG=en_US.UTF-8
> SHLVL=1
> SUDO_COMMAND=/sonicle/scripts/envrun /sonicle/bin/master -C
> /sonicle/etc/imapd.conf -M /sonicle/etc/cyrus.conf -p
> /sonicle/var/run/cyrus-master.pid
> HOME=/home/sonicle
> TERMINFO=/sonicle/lib/terminfo
> CFLAGS=-I/sonicle/include
> LOGNAME=root
> PGDATA=/sonicle/pgdata
> SUDO_GID=501
> _=/sonicle/bin/master
> =====================================================================
> I tried connecting to local port 143, it connects and then waits forever.
> After that, I get this into imapd.log :
> Nov 4 09:24:55 sl master[3341]: about to exec /sonicle/bin/imapd
> Nov 4 09:24:55 sl imap[3341]: incorrect version of Berkeley db: compiled
> against 4.8.30, linked against 4.3.29
> Nov 4 09:24:55 sl imap[3341]: Fatal error: wrong db version
> Nov 4 09:24:55 sl master[2581]: process 3341 exited, signaled to death by
> 11
> Nov 4 09:24:55 sl master[2581]: service imap pid 3341 in READY state:
> terminated abnormally
> And then many retries....
> To me, looks like imapd has no more my LD_LIBRARY_PATH (master has it).

That's why I asked for the environment dump on an imapd process. Please
check it because there you will see how LD_LIBRARY_PATH looks like.
If it's difficult to get a long running imapd process you could use a
preforked cyrus.conf for that.

Simon

> -= Mail sent through WebTop2 =-
> ----------------------------------------------------------------------------------
> Da: Simon Matter
> A: Gabriele Bulfon
> Cc: Clement Hermann (nodens)
> info-cyrus@xxxxxxxxxxxxxxxxxxxx
> Data: 4 novembre 2010 7.11.08 CET
> Oggetto: Re: Running Cyrus Imap under a different user
> Thanx, I understand what you mean, but I'm also supposed to stop and start
> the same deamon
> from this user again, manually, without su.
> I already solved the sudo problem, by wrapping the master launch inside a
> shell that will
> set the environment for it, and infact it does.
> What happens is later, when master forks and change user.
> Why is it again loosing my environment?
> That's really interesting because in my tests it seems to have worked.
> Could you show us "strings /proc/
> /environ" and "strings
> /proc/
> /environ"?
> BTW, are you running Linux or another *X?
> Simon
> I just want the binaries to override system libs with mine :)
> (of course I could set system environemnt inside master profile or
> elsewhere, but this is not what I want to do. I can't touch any root
> system behaviour)
> Thanx again :)
> Gabriele.
> -= Mail sent through WebTop2 =-
> ----------------------------------------------------------------------------------
> Da: Clement Hermann (nodens)
> A: info-cyrus@xxxxxxxxxxxxxxxxxxxx
> Data: 3 novembre 2010 20.59.53 CET
> Oggetto: Re: Running Cyrus Imap under a different user
> Le 03/11/2010 18:03, Gabriele Bulfon a écrit :
> Thanx for the quick reply ;)
> Yes, environment is correctly exported.
> Maybe there is something I can tell to Linux so that it gives my
> environement to anyone
> changing user to myuser?
> You are not supposed to use sudo to do this. The correct way is to login
> as root (or change identity via su -, or let init run the init script
> for you at startup), and launch the init script to start cyrus master,
> which will drop privileges when forking to child processes (imapd,
> pop3d, etc).
> sudo *will* remove some environment variables, as a security mesure.
> It could be that the best way to achieve what you want is to modify an
> existing binary package of cyrus imapd for your distribution, modifiying
> only the user-related configure options and configuration scripts.
> Cheers,
> --
> Clement Hermann (nodens)
> - "L'air pur ? c'est pas en RL, ça ? c'est pas hors charte ?"
> Jean in L'Histoire des Pingouins, http://tnemeth.free.fr/fmbl/linuxsf/
> Vous trouverez ma clef publique sur le serveur public pgp.mit.edu.
> Please find my public key on the public keyserver pgp.mit.edu.
> ----
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
> ----
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
>

----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/