Running Cyrus Imap under a different user
Simon Matter
simon.matter at invoca.ch
Thu Nov 4 05:33:01 EDT 2010
> The system is a Scientific Linux.
> The imapd process just tries to exec and then fails and exit, as you can
> see from the log.
> This happens on any process that master tries to execv (e.g.
> ctl_cyrusdb,imapd and s on).
> Reading around, looks like execv brings all the parent environment, but
> not LD_LIBRARY_PATH,
> for some security reason....
> In my case, to be sure that my daemons always run my own versions of the
> libraries, I just
> compiled BerkeleyDB from sources, into my /sonicle/lib.
> Then I compiled cyrus against it.
> Problem is, if I bring my prebuilt package into another system, and this
> system has different
> versions of my libraries into /usr/lib, execv calls will link into the
> system ones, not mine...
> There must be a way to have everything link into my environement... :(
Hm, maybe RPATH is the solution
http://en.wikipedia.org/wiki/Rpath_%28linking%29
Simon
> -= Mail sent through WebTop2 =-
> ----------------------------------------------------------------------------------
> Da: Simon Matter
> A: Gabriele Bulfon
> Cc: Clement Hermann (nodens)
> info-cyrus at lists.andrew.cmu.edu
> Data: 4 novembre 2010 9.50.00 CET
> Oggetto: Re: Running Cyrus Imap under a different user
> Thanx, here is the output of master proc, and it looks it has all the
> needed environment:
> =================================================================================
> [sonicle at sl imap]$ ps -ef | fgrep master
> root 3370 1 0 09:26 pts/1 00:00:00 sh /sonicle/scripts/envrun
> /sonicle/bin/master -C /sonicle/etc/imapd.conf -M /sonicle/etc/cyrus.conf
> -p /sonicle/var/run/cyrus-master.pid
> sonicle 3372 3370 0 09:26 pts/1 00:00:00 /sonicle/bin/master -C
> /sonicle/etc/imapd.conf -M /sonicle/etc/cyrus.conf -p
> /sonicle/var/run/cyrus-master.pid
> sonicle 3381 2555 0 09:26 pts/1 00:00:00 fgrep master
> [sonicle at sl imap]$ strings /proc/3372/environ
> strings: /proc/3372/environ: Permission denied
> [sonicle at sl imap]$ sudo strings /proc/3372/environ
> LDFLAGS=-L/sonicle/lib
> MANPATH=/sonicle/man:/sonicle/ssl/man:
> HOSTNAME=sl.sonicle.com
> SHELL=/bin/bash
> TERM=xterm
> HISTSIZE=1000
> CPPFLAGS=-I/sonicle/include
> USER=root
> LD_LIBRARY_PATH=/sonicle/lib:
> I don't know if it hurts but that should really be
> LD_LIBRARY_PATH=/sonicle/lib
> LS_COLORSo=00:fi=00:di=01;34:ln=00;36:pi=40;33:so=00;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=00;32:*.cmd=00;32:*.exe=00;32:*.com=00;32:*.btm=00;32:*.bat=00;32:*.sh=00;32:*.csh=00;32:*.tar=00;31:*.tgz=00;31:*.arj=00;31:*.taz=00;31:*.lzh=00;31:*.zip=00;31:*.z=00;31:*.Z=00;31:*.gz=00;31:*.bz2=00;31:*.bz=00;31:*.tz=00;31:*.rpm=00;31:*.cpio=00;31:*.jpg=00;35:*.gif=00;35:*.bmp=00;35:*.xbm=00;35:*.xpm=00;35:*.png=00;35:*.tif=00;35:
> SUDO_USER=sonicle
> SUDO_UID=501
> CXXFLAGS=-I/sonicle/include
> USERNAME=root
> PATH=/sonicle/scripts:/sonicle/sbin:/sonicle/java/bin:/sonicle/bin:/sonicle/bacula/etc:/sonicle/mysql/bin:/usr/bin:/bin
> MAIL=/var/spool/mail/sonicle
> SUDO=sudo
> PWD=/sonicle/var/log/imap
> INPUTRC=/etc/inputrc
> LANG=en_US.UTF-8
> SHLVL=1
> SUDO_COMMAND=/sonicle/scripts/envrun /sonicle/bin/master -C
> /sonicle/etc/imapd.conf -M /sonicle/etc/cyrus.conf -p
> /sonicle/var/run/cyrus-master.pid
> HOME=/home/sonicle
> TERMINFO=/sonicle/lib/terminfo
> CFLAGS=-I/sonicle/include
> LOGNAME=root
> PGDATA=/sonicle/pgdata
> SUDO_GID=501
> _=/sonicle/bin/master
> =====================================================================
> I tried connecting to local port 143, it connects and then waits forever.
> After that, I get this into imapd.log :
> Nov 4 09:24:55 sl master[3341]: about to exec /sonicle/bin/imapd
> Nov 4 09:24:55 sl imap[3341]: incorrect version of Berkeley db: compiled
> against 4.8.30, linked against 4.3.29
> Nov 4 09:24:55 sl imap[3341]: Fatal error: wrong db version
> Nov 4 09:24:55 sl master[2581]: process 3341 exited, signaled to death by
> 11
> Nov 4 09:24:55 sl master[2581]: service imap pid 3341 in READY state:
> terminated abnormally
> And then many retries....
> To me, looks like imapd has no more my LD_LIBRARY_PATH (master has it).
> That's why I asked for the environment dump on an imapd process. Please
> check it because there you will see how LD_LIBRARY_PATH looks like.
> If it's difficult to get a long running imapd process you could use a
> preforked cyrus.conf for that.
> Simon
> -= Mail sent through WebTop2 =-
> ----------------------------------------------------------------------------------
> Da: Simon Matter
> A: Gabriele Bulfon
> Cc: Clement Hermann (nodens)
> info-cyrus at lists.andrew.cmu.edu
> Data: 4 novembre 2010 7.11.08 CET
> Oggetto: Re: Running Cyrus Imap under a different user
> Thanx, I understand what you mean, but I'm also supposed to stop and start
> the same deamon
> from this user again, manually, without su.
> I already solved the sudo problem, by wrapping the master launch inside a
> shell that will
> set the environment for it, and infact it does.
> What happens is later, when master forks and change user.
> Why is it again loosing my environment?
> That's really interesting because in my tests it seems to have worked.
> Could you show us "strings /proc/
> /environ" and "strings
> /proc/
> /environ"?
> BTW, are you running Linux or another *X?
> Simon
> I just want the binaries to override system libs with mine :)
> (of course I could set system environemnt inside master profile or
> elsewhere, but this is not what I want to do. I can't touch any root
> system behaviour)
> Thanx again :)
> Gabriele.
> -= Mail sent through WebTop2 =-
> ----------------------------------------------------------------------------------
> Da: Clement Hermann (nodens)
> A: info-cyrus at lists.andrew.cmu.edu
> Data: 3 novembre 2010 20.59.53 CET
> Oggetto: Re: Running Cyrus Imap under a different user
> Le 03/11/2010 18:03, Gabriele Bulfon a écrit :
> Thanx for the quick reply ;)
> Yes, environment is correctly exported.
> Maybe there is something I can tell to Linux so that it gives my
> environement to anyone
> changing user to myuser?
> You are not supposed to use sudo to do this. The correct way is to login
> as root (or change identity via su -, or let init run the init script
> for you at startup), and launch the init script to start cyrus master,
> which will drop privileges when forking to child processes (imapd,
> pop3d, etc).
> sudo *will* remove some environment variables, as a security mesure.
> It could be that the best way to achieve what you want is to modify an
> existing binary package of cyrus imapd for your distribution, modifiying
> only the user-related configure options and configuration scripts.
> Cheers,
> --
> Clement Hermann (nodens)
> - "L'air pur ? c'est pas en RL, ça ? c'est pas hors charte ?"
> Jean in L'Histoire des Pingouins, http://tnemeth.free.fr/fmbl/linuxsf/
> Vous trouverez ma clef publique sur le serveur public pgp.mit.edu.
> Please find my public key on the public keyserver pgp.mit.edu.
> ----
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
> ----
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
>
More information about the Info-cyrus
mailing list