Mailing List Archive

Exim and file access right
Hello,

I'm writing to you because of a problem I can't solve through searching the
web or reading the Exim documentation.

Exim uses my certificate and it's private key. Those data (at least the
private key) is precious and therefore not world readable on my host. The
file access rights are 640 with u=root and g=privkey_users. The group
privkey_users is an additional group with members Debian-exim, dovecot and
nginx because they all need access to that files. That works since a year
now for Exim as a server

So now I want Exim as a client to present the certificates also but Exim
fails to load the files when trying to connect a TLS enabled host (mainlog
says "Error while reading file."). Changing the file access rights to 644
*or* chown :Debian-exim makes it work again. But neither is ok because it
either expose the files to much or makes them unaccessible for the other
applications.

From chapter 55 of the Exim documentation I see that Exim delivery drops
rights which it has as a server but I don't fully understand it - or I
don't understand Unix access rights. With user Debian-exim member of
privkey_users why can't it read files with access rights for the group
privkey_users?

Regards,
Arno
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Exim and file access right [ In reply to ]
On 2019-05-19 16:05, Arno Thuber wrote:

> Exim uses my certificate and it's private key. Those data (at least
> the private key) is precious and therefore not world readable on my
> host. The file access rights are 640 with u=root and
> g=privkey_users. The group privkey_users is an additional group with
> members Debian-exim, dovecot and nginx because they all need access to
> that files. That works since a year now for Exim as a server
>
> So now I want Exim as a client to present the certificates also but
> Exim fails to load the files when trying to connect a TLS enabled host
> (mainlog says "Error while reading file."). Changing the file access
> rights to 644 *or* chown :Debian-exim makes it work again. But neither
> is ok because it either expose the files to much or makes them
> unaccessible for the other applications.
>
> From chapter 55 of the Exim documentation I see that Exim delivery
> drops rights which it has as a server but I don't fully understand it
> - or I don't understand Unix access rights. With user Debian-exim
> member of privkey_users why can't it read files with access rights for
> the group privkey_users?

What is the primary group of the user ID Debian-exim? I think what you
report would happen if that group was something else than Debian-exim.

--
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
To reply privately _only_ on Usenet and on broken lists
which rewrite From, fetch the TXT record for no-use.mooo.com.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Exim and file access right [ In reply to ]
On Sun, May 19, 2019 at 04:05:20PM +0200, Arno Thuber via Exim-users wrote:
> >From chapter 55 of the Exim documentation I see that Exim delivery drops
> rights which it has as a server but I don't fully understand it - or I
> don't understand Unix access rights. With user Debian-exim member of
> privkey_users why can't it read files with access rights for the group
> privkey_users?

Unix group membership, as defined by /etc/group, is set to the process
via setgroups(2) syscall. For interactive process it is executed by the
programm, which starts user session (getty, login, sshd, etc), in addtion
to establishing user's uid and gid.

If setgroups(2) is not called before setuid(2) and setgid(2), then
process does not receive additional group membership. I suspect
Exim simply changes uid and gid for its child processes.
--
Eugene Berdnikov

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Exim and file access right [ In reply to ]
On 2019-05-19 at 16:05 +0200, Arno Thuber via Exim-users wrote:
> From chapter 55 of the Exim documentation I see that Exim delivery drops
> rights which it has as a server but I don't fully understand it - or I
> don't understand Unix access rights. With user Debian-exim member of
> privkey_users why can't it read files with access rights for the group
> privkey_users?

<http://www.exim.org/exim-html-current/doc/html/spec_html/ch-generic_options_for_transports.html>

initgroups Use: transports Type: boolean Default: false

If this option is true and the uid for the delivery process is
provided by the transport, the initgroups() function is called when
running the transport to ensure that any additional groups associated
with the uid are set up.

Turn on that _Transport_ option for the transport which needs to read
the key file.

-Phil

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Exim and file access right [ In reply to ]
On May 20. 2019 20:47 Phil Pennock <pdp@exim.org> wrote:

> <
> http://www.exim.org/exim-html-current/doc/html/spec_html/ch-generic_options_for_transports.html
> >
>
> initgroups Use: transports Type: boolean Default: false
>
> If this option is true and the uid for the delivery process is
> provided by the transport, the initgroups() function is called when
> running the transport to ensure that any additional groups associated
> with the uid are set up.
>
> Turn on that _Transport_ option for the transport which needs to read
> the key file.
>

Oh man, that did the job. I still find it surprising it's not done
automatically. But I guess there's a reason for it.

Thanks Phil
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Exim and file access right [ In reply to ]
On 25/05/2019 06:33, Arno Thuber via Exim-users wrote:
> Oh man, that did the job. I still find it surprising it's not done
> automatically. But I guess there's a reason for it.

It goes back to at least 1999, in Exim 3.10.
I'd expect there were platforms where using initgroups was
a bad idea.

Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Exim and file access right [ In reply to ]
On Sat, May 25, 2019 at 12:11:36PM +0100, Jeremy Harris via Exim-users wrote:
> On 25/05/2019 06:33, Arno Thuber via Exim-users wrote:
> > Oh man, that did the job. I still find it surprising it's not done
> > automatically. But I guess there's a reason for it.
>
> It goes back to at least 1999, in Exim 3.10.
> I'd expect there were platforms where using initgroups was
> a bad idea.

It may be optimization: additional groups are rarely used,
so setting it "off" by default saves at least one syscall.
--
Eugene Berdnikov

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/