Gentoo Archives: gentoo-user

From:	Alan McKinnon <alan.mckinnon@×××××.com>
To:	gentoo-user@l.g.o
Subject:	Re: [gentoo-user] executing a command as a nologin user
Date:	Wed, 13 Jul 2016 20:41:57
Message-Id:	`5786A785.9030709@gmail.com`
In Reply to:	Re: [gentoo-user] executing a command as a nologin user by wabe

1	On 13/07/2016 19:05, wabe wrote:
2	> Alan McKinnon <alan.mckinnon@×××××.com> wrote:
3	>
4	>> On 13/07/2016 18:42, wabe wrote:
5	>>> Fernando Rodriguez <cyklonite@×××××.com> wrote:
6	>>>
7	>>>> -----BEGIN PGP SIGNED MESSAGE-----
8	>>>> Hash: SHA256
9	>>>>
10	>>>> On 07/13/2016 07:10 AM, Alan McKinnon wrote:
11	>>>>> On 12/07/2016 03:47, jens w wrote:
12	>>>>>> .procmailrc
13	>>>>>> :0 c
14	>>>>>> * !^X-Loop: name@×××××××.com
15	>>>>>> \| formail -X "From:" \| $HOME/bin/script.sh
16	>>>>>>
17	>>>>>> procmail.log
18	>>>>>> procmail: Executing " formail -X "From:" \| $HOME/bin/script.sh
19	>>>>>>
20	>>>>>> for incoming mail, a script is executed. logfile has the same
21	>>>>>> entry as it is in other users. but the script do nothing.
22	>>>>>>
23	>>>>>> How executing a command as a nologin user?
24	>>>>>>
25	>>>>>
26	>>>>>
27	>>>>> You can't, not the way you are doing it.
28	>>>>> You want to launch a shell script for the user, but the user's
29	>>>>> shell is /sbin/nologin. This exits immediately without launching
30	>>>>> the script.
31	>>>>>
32	>>>>> Give the user a real shell.
33	>>>>>
34	>>>>> Alan
35	>>>>>
36	>>>>
37	>>>> I've been following this thread and thinking the same thing but
38	>>>> wasn't sure.
39	>>>
40	>>> I don't think so. To proof it, I created this user:
41	>>>
42	>>> nologinuser:x:1015:1016::/home/nologinuser:/sbin/nologin
43	>>>
44	>>> Then I created this script:
45	>>>
46	>>> #!/bin/sh
47	>>> #
48	>>> date >> /home/nologinuser/envars.txt
49	>>> echo $HOME >> /home/nologinuser/envars.txt
50	>>> echo $PATH >> /home/nologinuser/envars.txt
51	>>> echo "-----------------------" >> /home/nologinuser/envars.txt
52	>>>
53	>>> I stored it as /var/script-nologinuser/testscript.sh. I had to store
54	>>> it at this place because /home is mounted with the noexec option on
55	>>> my system.
56	>>>
57	>>>
58	>>> Then I created a cronjob for the nologinuser user:
59	>>>
60	>>> /2 * * * /var/script-nologinuser/testscript.sh
61	>>>
62	>>>
63	>>> The result is the file /home/nologinuser/envars.txt with this
64	>>> content:
65	>>>
66	>>> Wed Jul 13 18:10:01 CEST 2016
67	>>> /home/nologinuser
68	>>> /usr/bin:/bin
69	>>> -----------------------
70	>>> Wed Jul 13 18:12:01 CEST 2016
71	>>> /home/nologinuser
72	>>> /usr/bin:/bin
73	>>> -----------------------
74	>>>
75	>>>
76	>>> The ownership and the rights for /home/nologinuser/,
77	>>> /var/script-nologinuser/ and /var/script-nologinuser/testscript.sh
78	>>> are nologinuser:nologinuser and 700.
79	>>>
80	>>> So it seems, that it is possible to execute scripts without setting
81	>>> a shell in /etc/passwd.
82	>>>
83	>>> I don't know why it doesn't work for jens w.
84	>>
85	>>
86	>> Not so. Your script is launched by cron, running as root. It starts a
87	>> non-interactive no-login shell (that's why people have infernal
88	>> trouble with cron, assuming it has a $PATH when it actually has none)
89	>
90	> Ok, this seems to make sense. I did another test to make sure that
91	> it works also when the script isn't executed directly by crontab.
92	> I'm not sure if this is a real proof, because the "execution chain" is
93	> started by cron.
94	>
95	> I renamed /var/script-nologinuser/testscript.sh to
96	> /var/script-nologinuser/testscript-2.sh and created a script
97	> /var/script-nologinuser/testscript.sh with this content:
98	>
99	> #!/bin/sh
100	> #
101	> /var/script-nologinuser/testscript-2.sh
102	>
103	>
104	> It also worked.
105
106
107	I think in that circumstance, cron forks and execs an sh process in a
108	non-interactive non-login shell, so it works out OK.
109
110	Now to get procmail to do the same
111
112	Alan

Report Message

Find on MARC Find on Google Groups