sympa daemons to support users with multiple groups

[eiro]

the problem and the questions related to it was posted on the list (https://listes.renater.fr/sympa/arc/sympa-developpers/2018-01/msg00008.html)

this patch isn't complete does only fix the problem for only one daemon but at least it point it out and provides a way to fix it.

0001-when-the-sympa-user-is-member-of-more-than-one-group.patch.txt

[eiro]

informations about the way i installed and started sympa (from an up and running debian buster)

$ g clone git@github.com:sympa-community/sympa
$ id
uid=1001(mc) gid=100(users) groups=100(users),27(sudo),105(sympalpha),115(sympa)
$ sudo install -o mc -g sympalpha -d /opt/sympalpha
$ autoreconf -i
$ ./configure
--prefix=/opt/sympalpha
--with-group=sympalpha
--with-user=mc
--without-initdir
--without-smrshdir
--disable-smtpc
--disable-fhs
--disable-dependency-tracking
--with-confdir=/opt/sympalpha/etc
--with-unitsdir=/opt/sympalpha/services

tmux new /opt/sympalpha/bin/archived.pl -d

[racke]

On 01/10/2018 04:30 PM, Marc Chantreux wrote: informations about the way i installed and started sympa (from an up and running debian buster) $ g clone ***@***.*** ***@***.***>:sympa-community/sympa $ id uid=1001(mc) gid=100(users) groups=100(users),27(sudo),105(sympalpha),115(sympa) $ sudo install -o mc -g sympalpha -d /opt/sympalpha $ autoreconf -i $ ./configure --prefix=/opt/sympalpha --with-group=sympalpha --with-user=mc --without-initdir --without-smrshdir --disable-smtpc --disable-fhs --disable-dependency-tracking --with-confdir=/opt/sympalpha/etc --with-unitsdir=/opt/sympalpha/services — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#160 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAIxPlE4m3A-8bKkQmsEAwcLaY9DiSSDks5tJNd_gaJpZM4RZZNE>.

Hello Marc, what was the error message on the startup of the Sympa daemons? Regards Racke

…

-- Ecommerce and Linux consulting + Perl and web application programming. Debian and Sympa administration. Provisioning with Ansible.

[ikedas]

On Wed, 10 Jan 2018 07:30:07 -0800 Marc Chantreux ***@***.***> wrote: informations about the way i installed and started sympa (from an up and running debian buster) $ g clone ***@***.***:sympa-community/sympa $ id uid=1001(mc) gid=100(users) groups=100(users),27(sudo),105(sympalpha),115(sympa) $ sudo install -o mc -g sympalpha -d /opt/sympalpha $ autoreconf -i $ ./configure \ --prefix=/opt/sympalpha \ --with-group=sympalpha \ --with-user=mc \ --without-initdir \ --without-smrshdir \ --disable-smtpc \ --disable-fhs \ --disable-dependency-tracking \ --with-confdir=/opt/sympalpha/etc \ --with-unitsdir=/opt/sympalpha/services

I couldn't reproduce. (In below, Sympa was built with default user and group) 1. `sympa` user has primary group `sympa` only: ``` bash $ id sympa uid=106(sympa) gid=112(sympa) groups=112(sympa) $ sudo /usr/sbin/task_manager.pl (No error) ``` 2. `sympa` user has a supplemental group: ``` $ sudo /usr/sbin/usermod -G apache sympa $ sudo /usr/sbin/task_manager.pl (No error) ``` 3. `sympa` user has the other primary group and supplemental `sympa` group: ``` $ sudo /usr/sbin/usermod -g apache -G sympa sympa $ sudo /usr/sbin/task_manager.pl (No error) ```

[racke]

Marc, please add the error message from Sympa startup to this issue.

[eiro]

hello racke, and thanks for helping

Hello Marc, what was the error message on the startup of the Sympa daemons?

as i wanted to be clear, i started from the very begining g clone sympa:sympa ./sympa g co sympa-6.2 autoreconf -i ./configure \ --prefix=/opt/sympalpha \ --with-group=sympalpha \ --with-user=mc \ --without-initdir \ --without-smrshdir \ --disable-smtpc \ --disable-fhs \ --disable-dependency-tracking \ --with-confdir=/opt/sympalpha/etc \ --with-unitsdir=/opt/sympalpha/services make make install /opt/sympalpha/bin/archived.pl -d i get notice Sympa::Process::write_pid() Previous process 19804 died suddenly; notifying listmaster notice Sympa::Spindle::ProcessTemplate::_twist() Processing Sympa::Message::Template <sympa@actions.example.com.org.1516110595.19814,3251>; envelope_sender=sympa-request@actions.example.com.org; message_id=sympa.1516110595.19814.185@actions.example.com.org; recipients=ARRAY; sender=sympa@actions.example.com.org; template=listmaster_notification; type=crash notice Sympa::Mailer::store() Done sending message Sympa::Message::Template <sympa@actions.example.com.org.1516110595.19814,3251> for * (priority 1) in 0 seconds since scheduled expedition date info main:: Configuration file read, log level set using options : 2 command failed: 550 Invalid recipient err main::#129 DIED: Failed to change process user ID and group ID. Note that on some OS Perl scripts can't change their real UID. In such circumstances Sympa should be run via sudo. err main::#129 Child process 19817 for <sympa@actions.example.com.org.1516110595.19814,3251> exited with status 70 DIED: Failed to change process user ID and group ID. Note that on some OS Perl scripts can't change their real UID. In such circumstances Sympa should be run via sudo. at /opt/sympalpha/bin/archived.pl line 129. so i add this line just before the condition die "UID = $UID, GID = $GID"; then i get info main:: Configuration file read, log level set using options : 2 UID = 1001, GID = 100 27 100 105 115 at /opt/sympalpha/bin/archived.pl line 128. as ou see: GID is a string with all GIDs separated by a space. this was made on a debian buster with a debian perl. regards marc

[eiro]

On Sun, Jan 14, 2018 at 07:10:09AM +0000, IKEDA Soji wrote: I couldn't reproduce.

happy you :) maybe you should use the same env i have (debian buster). regards, marc

[ikedas]

Marc, did you invoke the daemon with superuser (root)? If you didn’t, do:

sudo /path/to/archived.pl -d

Regards, 2018/01/16 23:09、Marc Chantreux <notifications@github.com>のメール:

…

hello racke, and thanks for helping > Hello Marc, > what was the error message on the startup of the Sympa daemons? as i wanted to be clear, i started from the very begining g clone sympa:sympa ./sympa g co sympa-6.2 autoreconf -i ./configure \ --prefix=/opt/sympalpha \ --with-group=sympalpha \ --with-user=mc \ --without-initdir \ --without-smrshdir \ --disable-smtpc \ --disable-fhs \ --disable-dependency-tracking \ --with-confdir=/opt/sympalpha/etc \ --with-unitsdir=/opt/sympalpha/services make make install /opt/sympalpha/bin/archived.pl -d i get notice Sympa::Process::write_pid() Previous process 19804 died suddenly; notifying listmaster notice Sympa::Spindle::ProcessTemplate::_twist() Processing Sympa::Message::Template ***@***.***,3251>; ***@***.***; ***@***.***; recipients=ARRAY; ***@***.***; template=listmaster_notification; type=crash notice Sympa::Mailer::store() Done sending message Sympa::Message::Template ***@***.***,3251> for * (priority 1) in 0 seconds since scheduled expedition date info main:: Configuration file read, log level set using options : 2 command failed: 550 Invalid recipient err main::#129 DIED: Failed to change process user ID and group ID. Note that on some OS Perl scripts can't change their real UID. In such circumstances Sympa should be run via sudo. err main::#129 Child process 19817 for ***@***.***,3251> exited with status 70 DIED: Failed to change process user ID and group ID. Note that on some OS Perl scripts can't change their real UID. In such circumstances Sympa should be run via sudo. at /opt/sympalpha/bin/archived.pl line 129. so i add this line just before the condition die "UID = $UID, GID = $GID"; then i get info main:: Configuration file read, log level set using options : 2 UID = 1001, GID = 100 27 100 105 115 at /opt/sympalpha/bin/archived.pl line 128. as ou see: GID is a string with all GIDs separated by a space. this was made on a debian buster with a debian perl. regards marc — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[ikedas]

Marc, could you please tell us how did you invoke the daemon?

[ikedas]

Daemons of current version of Sympa can be invoked in either of following two manners.

• Daemons of Sympa typically are changed user/group to an unprivileged user. By this reason, in many cases they are invoked by root, and several binary distributions disable login shell of this user to ensure restriction of privilege.
• To apply similar restriction, daemons also may be directly invoked by an unprivileged user. However, in this case the user should have uid and primary group dedicated to Sympa. It looks making sense for me.

In conclusion, I think reported behavior was caused by the usage that was not expected by the design: Invokation by the user whose privilege was not restricted enough. I think this issue would be better to be closed with wontfix label.

[eiro]

hello Soji and thanks for your replies,

i missed them so i didn't answer. this is correct: i can run sympa as root and it worked as expected. this bug should be closed.

[ikedas]

@eiro, Please feel free to close. I have no objection.