1 |
On 07/14/2016 05:19 PM, Fernando Rodriguez wrote: |
2 |
> On 07/13/2016 01:41 PM, wabe wrote: |
3 |
>> Fernando Rodriguez <cyklonite@×××××.com> wrote: |
4 |
> |
5 |
>>> -----BEGIN PGP SIGNED MESSAGE----- |
6 |
>>> Hash: SHA256 |
7 |
>>> |
8 |
>>> On 07/13/2016 07:10 AM, Alan McKinnon wrote: |
9 |
>>>> On 12/07/2016 03:47, jens w wrote: |
10 |
>>>>> .procmailrc |
11 |
>>>>> :0 c |
12 |
>>>>> * !^X-Loop: name@×××××××.com |
13 |
>>>>> | formail -X "From:" | $HOME/bin/script.sh |
14 |
>>>>> |
15 |
>>>>> procmail.log |
16 |
>>>>> procmail: Executing " formail -X "From:" | $HOME/bin/script.sh |
17 |
>>>>> |
18 |
>>>>> for incoming mail, a script is executed. logfile has the same |
19 |
>>>>> entry as it is in other users. but the script do nothing. |
20 |
>>>>> |
21 |
>>>>> How executing a command as a nologin user? |
22 |
>>>>> |
23 |
>>>> |
24 |
>>>> |
25 |
>>>> You can't, not the way you are doing it. |
26 |
>>>> You want to launch a shell script for the user, but the user's |
27 |
>>>> shell is /sbin/nologin. This exits immediately without launching |
28 |
>>>> the script. |
29 |
>>>> |
30 |
>>>> Give the user a real shell. |
31 |
>>>> |
32 |
>>>> Alan |
33 |
>>>> |
34 |
>>> |
35 |
>>> I've been following this thread and thinking the same thing but |
36 |
>>> wasn't sure. |
37 |
>>> |
38 |
>>> What if you invoke the shell directly instead of the script, either: |
39 |
>>> /bin/sh -c "<path to script>" or /bin/sh -c "$(cat <script>)"? |
40 |
>>> |
41 |
>>> If procmail uses the system() call to launch the script it won't work |
42 |
>>> but if it uses fork()/exec() or similar I think that it should work. |
43 |
> |
44 |
>> I don't know how procmail is launching scripts so I don't know if |
45 |
>> that what I say now makes sense. :-) |
46 |
> |
47 |
>> I tested if another regular user (lets call him user1) can execute |
48 |
>> scripts that are owned by nologinuser. It works as long as the path |
49 |
>> and the script itself are readable and executable by user1. |
50 |
>> If the script is writing stuff into /home/nologinuser then it is |
51 |
>> also necessary that the home directory is writable by user1. |
52 |
> |
53 |
>> Of course user1 hasn't executed the script as nologinuser. I don't |
54 |
>> know if procmail is doing so. |
55 |
> |
56 |
>> -- |
57 |
>> Regards |
58 |
>> wabe |
59 |
> |
60 |
> |
61 |
> Yes, you can execute any scripts as long as you have permissions. A program |
62 |
> can use the exec() family of functions to do that. But if the program calls |
63 |
> the system() function or similar it will try to use the user shell to execute |
64 |
> the command. If the shell is nologin it will refuse to do so. |
65 |
> |
66 |
> |
67 |
|
68 |
That's not actually true either. The system(3) function is defined to |
69 |
create a child process using fork(2), then execute the specified command |
70 |
using execl(3) as follows: |
71 |
|
72 |
execl("/bin/sh", "sh", "-c", command, (char *) 0); |
73 |
|
74 |
Note that this is not dependent on the user's normal shell, the shell |
75 |
/bin/sh is *always* used. |
76 |
|
77 |
-- |
78 |
Jonathan Callen |