Running Cyrus Imap under a different user

Gabriele Bulfon gbulfon at sonicle.com
Thu Nov 4 05:43:07 EDT 2010


Thanx Simon, I will consider your suggestion after trying another step.
I tried this:
[sonicle at sl cyrus-imapd-2.4.2]$ ldd /sonicle/bin/ctl_cyrusdb
linux-gate.so.1 =(0x0047d000)
libsasl2.so.2 =/sonicle/lib/libsasl2.so.2 (0x00ee9000)
libgssapi_krb5.so.2 =/sonicle/lib/libgssapi_krb5.so.2 (0x00d64000)
libkrb5.so.3 =/sonicle/lib/libkrb5.so.3 (0x00110000)
libk5crypto.so.3 =/sonicle/lib/libk5crypto.so.3 (0x00446000)
libcom_err.so.3 =/sonicle/lib/libcom_err.so.3 (0x00a92000)
libkrb5support.so.0 =/sonicle/lib/libkrb5support.so.0 (0x00c48000)
libresolv.so.2 =/lib/libresolv.so.2 (0x00cf8000)
libssl.so.0.9.8 =/sonicle/lib/libssl.so.0.9.8 (0x001d4000)
libcrypto.so.0.9.8 =/sonicle/lib/libcrypto.so.0.9.8 (0x0021a000)
libdb-4.3.so =/lib/libdb-4.3.so (0x07345000)
libz.so.1 =/sonicle/lib/libz.so.1 (0x00361000)
libc.so.6 =/lib/libc.so.6 (0x007bd000)
libdl.so.2 =/lib/libdl.so.2 (0x00918000)
libpthread.so.0 =/lib/libpthread.so.0 (0x0094a000)
/lib/ld-linux.so.2 (0x0079e000)
As you can see, all my libraries are considered (instead of system ones) but not libdb (
libdb-4.3.so =/lib/libdb-4.3.so
). This sounds strange as I compiled with --with-bdb=/sonicle , and actually the errors in imapd states that the binaries were compiled against libdb-4.8.30 (my /sonicle/lib one) but linking against libdb-4.3.....I'm confused....
-= Mail sent through WebTop2 =-
----------------------------------------------------------------------------------
Da: Simon Matter
A: Gabriele Bulfon
Cc: Clement Hermann (nodens)
info-cyrus at lists.andrew.cmu.edu
Data: 4 novembre 2010 10.33.01 CET
Oggetto: Re: Running Cyrus Imap under a different user
The system is a Scientific Linux.
The imapd process just tries to exec and then fails and exit, as you can
see from the log.
This happens on any process that master tries to execv (e.g.
ctl_cyrusdb,imapd and s on).
Reading around, looks like execv brings all the parent environment, but
not LD_LIBRARY_PATH,
for some security reason....
In my case, to be sure that my daemons always run my own versions of the
libraries, I just
compiled BerkeleyDB from sources, into my /sonicle/lib.
Then I compiled cyrus against it.
Problem is, if I bring my prebuilt package into another system, and this
system has different
versions of my libraries into /usr/lib, execv calls will link into the
system ones, not mine...
There must be a way to have everything link into my environement... :(
Hm, maybe RPATH is the solution
http://en.wikipedia.org/wiki/Rpath_%28linking%29
Simon
-= Mail sent through WebTop2 =-
----------------------------------------------------------------------------------
Da: Simon Matter
A: Gabriele Bulfon
Cc: Clement Hermann (nodens)
info-cyrus at lists.andrew.cmu.edu
Data: 4 novembre 2010 9.50.00 CET
Oggetto: Re: Running Cyrus Imap under a different user
Thanx, here is the output of master proc, and it looks it has all the
needed environment:
=================================================================================
[sonicle at sl imap]$ ps -ef | fgrep master
root      3370     1  0 09:26 pts/1    00:00:00 sh /sonicle/scripts/envrun
/sonicle/bin/master -C /sonicle/etc/imapd.conf -M /sonicle/etc/cyrus.conf
-p /sonicle/var/run/cyrus-master.pid
sonicle   3372  3370  0 09:26 pts/1    00:00:00 /sonicle/bin/master -C
/sonicle/etc/imapd.conf -M /sonicle/etc/cyrus.conf -p
/sonicle/var/run/cyrus-master.pid
sonicle   3381  2555  0 09:26 pts/1    00:00:00 fgrep master
[sonicle at sl imap]$ strings /proc/3372/environ
strings: /proc/3372/environ: Permission denied
[sonicle at sl imap]$ sudo strings /proc/3372/environ
LDFLAGS=-L/sonicle/lib
MANPATH=/sonicle/man:/sonicle/ssl/man:
HOSTNAME=sl.sonicle.com
SHELL=/bin/bash
TERM=xterm
HISTSIZE=1000
CPPFLAGS=-I/sonicle/include
USER=root
LD_LIBRARY_PATH=/sonicle/lib:
I don't know if it hurts but that should really be
LD_LIBRARY_PATH=/sonicle/lib
LS_COLORSo=00:fi=00:di=01;34:ln=00;36:pi=40;33:so=00;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=00;32:*.cmd=00;32:*.exe=00;32:*.com=00;32:*.btm=00;32:*.bat=00;32:*.sh=00;32:*.csh=00;32:*.tar=00;31:*.tgz=00;31:*.arj=00;31:*.taz=00;31:*.lzh=00;31:*.zip=00;31:*.z=00;31:*.Z=00;31:*.gz=00;31:*.bz2=00;31:*.bz=00;31:*.tz=00;31:*.rpm=00;31:*.cpio=00;31:*.jpg=00;35:*.gif=00;35:*.bmp=00;35:*.xbm=00;35:*.xpm=00;35:*.png=00;35:*.tif=00;35:
SUDO_USER=sonicle
SUDO_UID=501
CXXFLAGS=-I/sonicle/include
USERNAME=root
PATH=/sonicle/scripts:/sonicle/sbin:/sonicle/java/bin:/sonicle/bin:/sonicle/bacula/etc:/sonicle/mysql/bin:/usr/bin:/bin
MAIL=/var/spool/mail/sonicle
SUDO=sudo
PWD=/sonicle/var/log/imap
INPUTRC=/etc/inputrc
LANG=en_US.UTF-8
SHLVL=1
SUDO_COMMAND=/sonicle/scripts/envrun /sonicle/bin/master -C
/sonicle/etc/imapd.conf -M /sonicle/etc/cyrus.conf -p
/sonicle/var/run/cyrus-master.pid
HOME=/home/sonicle
TERMINFO=/sonicle/lib/terminfo
CFLAGS=-I/sonicle/include
LOGNAME=root
PGDATA=/sonicle/pgdata
SUDO_GID=501
_=/sonicle/bin/master
=====================================================================
I tried connecting to local port 143, it connects and then waits forever.
After that, I get this into imapd.log :
Nov  4 09:24:55 sl master[3341]: about to exec /sonicle/bin/imapd
Nov  4 09:24:55 sl imap[3341]: incorrect version of Berkeley db: compiled
against 4.8.30, linked against 4.3.29
Nov  4 09:24:55 sl imap[3341]: Fatal error: wrong db version
Nov  4 09:24:55 sl master[2581]: process 3341 exited, signaled to death by
11
Nov  4 09:24:55 sl master[2581]: service imap pid 3341 in READY state:
terminated abnormally
And then many retries....
To me, looks like imapd has no more my LD_LIBRARY_PATH (master has it).
That's why I asked for the environment dump on an imapd process. Please
check it because there you will see how LD_LIBRARY_PATH looks like.
If it's difficult to get a long running imapd process you could use a
preforked cyrus.conf for that.
Simon
-= Mail sent through WebTop2 =-
----------------------------------------------------------------------------------
Da: Simon Matter
A: Gabriele Bulfon
Cc: Clement Hermann (nodens)
info-cyrus at lists.andrew.cmu.edu
Data: 4 novembre 2010 7.11.08 CET
Oggetto: Re: Running Cyrus Imap under a different user
Thanx, I understand what you mean, but I'm also supposed to stop and start
the same deamon
from this user again, manually, without su.
I already solved the sudo problem, by wrapping the master launch inside a
shell that will
set the environment for it, and infact it does.
What happens is later, when master forks and change user.
Why is it again loosing my environment?
That's really interesting because in my tests it seems to have worked.
Could you show us "strings /proc/
/environ" and "strings
/proc/
/environ"?
BTW, are you running Linux or another *X?
Simon
I just want the binaries to override system libs with mine :)
(of course I could set system environemnt inside master profile or
elsewhere, but this is not what I want to do. I can't touch any root
system behaviour)
Thanx again :)
Gabriele.
-= Mail sent through WebTop2 =-
----------------------------------------------------------------------------------
Da: Clement Hermann (nodens)
A: info-cyrus at lists.andrew.cmu.edu
Data: 3 novembre 2010 20.59.53 CET
Oggetto: Re: Running Cyrus Imap under a different user
Le 03/11/2010 18:03, Gabriele Bulfon a écrit :
Thanx for the quick reply ;)
Yes, environment is correctly exported.
Maybe there is something I can tell to Linux so that it gives my
environement to anyone
changing user to myuser?
You are not supposed to use sudo to do this. The correct way is to login
as root (or change identity via su -, or let init run the init script
for you at startup), and launch the init script to start cyrus master,
which will drop privileges when forking to child processes (imapd,
pop3d, etc).
sudo *will* remove some environment variables, as a security mesure.
It could be that the best way to achieve what you want is to modify an
existing binary package of cyrus imapd for your distribution, modifiying
only the user-related configure options and configuration scripts.
Cheers,
--
Clement Hermann (nodens)
- "L'air pur ? c'est pas en RL, ça ? c'est pas hors charte ?"
Jean in L'Histoire des Pingouins, http://tnemeth.free.fr/fmbl/linuxsf/
Vous trouverez ma clef publique sur le serveur public pgp.mit.edu.
Please find my public key on the public keyserver pgp.mit.edu.
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20101104/89e07515/attachment.html 


More information about the Info-cyrus mailing list