https://bugs.exim.org/show_bug.cgi?id=3028
--- Comment #6 from Hendrik Jäger [:henk] <[email protected]> --- (In reply to Andrew Aitchison from comment #5) > Exim has determined that you are not an admin user, so do not have the > authority to continue. In the code (exim.c cira line 4430) the "debugging" > version of the message comes immdiately after a comment: > > […] > > ** Since you are trying to start a daemon you need to do as an admin. > ** Now that you understand the reason for the message (I hope) > ** can you suggest a clearer message text ? > > For this sort of testing I recommend that either your test user belongs to > your exim group, or to a group declared in your test config in the > "admin_group" entry. That was a very helpful hint and I now got it to run (seemingly) fine as a user! The config I’m using for that now is: % cat tmp/2023-09-20_exim_config.conf daemon_smtp_ports = 1234 spool_directory = /home/henk/tmp/exim_spool_test # log_file_path = /home/henk/tmp/exim_log_test/exim_%slog pid_file_path = /home/henk/tmp/exim_pid exim_user = henk exim_group = henk # admin_groups = henk 14:30:07 θ64° 1z [henk:~] <system> % exim -C tmp/2023-09-20_exim_config.conf -v -bdf -d+all 14:30:11 18477 Exim version 4.96 uid=1000 gid=1000 pid=18477 D=fff9ffff 14:30:11 18477 Support for: crypteq iconv() IPv6 GnuTLS TLS_resume move_frozen_messages DANE DKIM DNSSEC Event I18N OCSP PIPECONNECT PRDR Queue_Ramp SOCKS SRS TCP_Fast_Open 14:30:11 18477 Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch nis nis0 passwd 14:30:11 18477 Authenticators: cram_md5 external plaintext 14:30:11 18477 Routers: accept dnslookup ipliteral manualroute queryprogram redirect 14:30:11 18477 Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp 14:30:11 18477 Fixed never_users: 0 14:30:11 18477 Configure owner: 0:0 14:30:11 18477 Size of off_t: 8 14:30:11 18477 Compiler: GCC [12.2.0] 14:30:11 18477 Library version: Glibc: Compile: 2.36 14:30:11 18477 Runtime: 2.36 14:30:11 18477 Library version: BDB: Compile: Berkeley DB 5.3.28: (September 9, 2013) 14:30:11 18477 Runtime: Berkeley DB 5.3.28: (September 9, 2013) 14:30:11 18477 Library version: GnuTLS: Compile: 3.7.9 14:30:11 18477 Runtime: 3.7.9 14:30:11 18477 Library version: IDN2: Compile: 2.3.3 14:30:11 18477 Runtime: 2.3.3 14:30:11 18477 Library version: Stringprep: Compile: 1.41 14:30:11 18477 Runtime: 1.41 14:30:11 18477 Library version: PCRE2: Compile: 10.42 14:30:11 18477 Runtime: 10.42 2022-12-11 14:30:11 18477 Total 14 lookups 14:30:11 18477 WHITELIST_D_MACROS: "OUTGOING" 14:30:11 18477 TRUSTED_CONFIG_LIST: "/etc/exim4/trusted_configs" 14:30:11 18477 changed uid/gid: -C, -D, -be or -bf forces real uid 14:30:11 18477 uid=1000 gid=1000 pid=18477 14:30:11 18477 auxiliary group list: 4 6 7 20 24 25 29 30 44 46 50 104 108 109 114 117 119 121 122 123 136 139 140 148 150 152 162 1000 1001 14:30:11 18477 seeking password data for user "henk": cache not available 14:30:11 18477 getpwnam() succeeded uid=1000 gid=1000 14:30:11 18477 LOG: MAIN 14:30:11 18477 Warning: purging the environment. 14:30:11 18477 Suggested action: use keep_environment. 14:30:11 18477 configuration file is tmp/2023-09-20_exim_config.conf 14:30:11 18477 log selectors = 00000ffc 64205022 0000000c 14:30:11 18477 LOG: MAIN PANIC 14:30:11 18477 exim user lost privilege for using -C option 14:30:11 18477 trusted user 14:30:11 18477 admin user 14:30:11 18477 dropping to exim gid; retaining priv uid 14:30:11 18477 originator: uid=1000 gid=1000 login=henk name="Hendrik Jaeger,,," 14:30:11 18477 LOG: MAIN 14:30:11 18477 Warning: No server certificate defined; will use a selfsigned one. 14:30:11 18477 Suggested action: either install a certificate or change tls_advertise_hosts option 14:30:11 18477 fresh-exec forking for cipher-validate 14:30:11 18477 fresh-exec forked for cipher-validate: 18478 14:30:11 18478 postfork: cipher-validate 14:30:11 18478 >>>>>>>>>>>>>>>> Exim pid=18478 (cipher-validate) terminating with rc=0 >>>>>>>>>>>>>>>> 14:30:11 18477 tls_validate_require_cipher child 18478 ended: status=0x0 14:30:11 18477 creating notifier socket 14:30:11 18477 ╭considering: $spool_directory/exim_daemon_notify 14:30:11 18477 ├considering: /exim_daemon_notify 14:30:11 18477 ├───────text: /exim_daemon_notify 14:30:11 18477 ├──expanding: $spool_directory/exim_daemon_notify 14:30:11 18477 ╰─────result: /home/henk/tmp/exim_spool_test/exim_daemon_notify 14:30:11 18477 @/home/henk/tmp/exim_spool_test/exim_daemon_notify 14:30:11 18477 listening on all interfaces (IPv6) port 1234 14:30:11 18477 listening on all interfaces (IPv4) port 1234 14:30:11 18477 pid written to /home/henk/tmp/exim_pid 14:30:11 18477 changed uid/gid: running as a daemon 14:30:11 18477 uid=1000 gid=1000 pid=18477 14:30:11 18477 auxiliary group list: 4 6 7 20 24 25 29 30 44 46 50 104 108 109 114 117 119 121 122 123 136 139 140 148 150 152 162 1000 1001 14:30:11 18477 LOG: MAIN 14:30:11 18477 exim 4.96 daemon started: pid=18477, no queue runs, listening for SMTP on port 1234 (IPv6 and IPv4) 14:30:11 18477 set_process_info: 18477 daemon(4.96): no queue runs, listening for SMTP on port 1234 (IPv6 and IPv4) 14:30:11 18477 GnuTLS global init required 14:30:11 18477 TLS: basic cred init, server 14:30:11 18477 TLS: generating selfsigned server cert 14:30:12 18477 GnuTLS<3>: ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60 14:30:12 18477 GnuTLS<3>: ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60 14:30:12 18477 GnuTLS<3>: ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60 14:30:12 18477 GnuTLS<3>: ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60 14:30:12 18477 GnuTLS<3>: ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60 14:30:12 18477 GnuTLS<3>: ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60 14:30:12 18477 GnuTLS<3>: ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60 14:30:12 18477 GnuTLS<3>: ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60 14:30:12 18477 GnuTLS<3>: ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60 14:30:12 18477 GnuTLS<3>: ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60 14:30:12 18477 GnuTLS<2>: Disabling X.509 extensions. 14:30:12 18477 GnuTLS<2>: signing structure using RSA-SHA256 14:30:12 18477 GnuTLS<3>: ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60 14:30:12 18477 GnuTLS<3>: ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60 14:30:12 18477 GnuTLS<3>: ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60 14:30:12 18477 GnuTLS<3>: ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60 14:30:12 18477 GnuTLS<3>: ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60 14:30:12 18477 GnuTLS<3>: ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60 14:30:12 18477 GnuTLS<3>: ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60 14:30:12 18477 GnuTLS<3>: ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60 14:30:12 18477 GnuTLS<3>: ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60 14:30:12 18477 GnuTLS<3>: ASSERT: ../../../lib/x509/x509_ext.c[gnutls_subject_alt_names_get]:111 14:30:12 18477 GnuTLS<3>: ASSERT: ../../../lib/x509/x509.c[get_alt_name]:2012 14:30:12 18477 GnuTLS<3>: ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60 14:30:12 18477 TLS: preloading CA bundle for server 14:30:12 18477 GnuTLS<3>: ASSERT: ../../../lib/x509/dn.c[_gnutls_x509_compare_raw_dn]:1039 14:30:12 18477 GnuTLS<3>: ASSERT: ../../../lib/x509/dn.c[_gnutls_x509_compare_raw_dn]:1039 14:30:12 18477 GnuTLS<3>: ASSERT: ../../../lib/x509/dn.c[_gnutls_x509_compare_raw_dn]:1039 14:30:12 18477 Added 142 certificate authorities 14:30:12 18477 TLS: not preloading CRL for server 14:30:12 18477 TLS: preloading cipher list for server: NULL 14:30:12 18477 GnuTLS using default session cipher/priority "NORMAL" 14:30:12 18477 GnuTLS<2>: added 6 protocols, 29 ciphersuites, 19 sig algos and 10 groups into priority list 14:30:12 18477 daemon running with uid=1000 gid=1000 euid=1000 egid=1000 14:30:12 18477 Listening... ^C14:30:13 18477 SIGTERM/SIGINT seen 14:30:13 18477 daemon forking for daemon-del-pidfile 14:30:13 18477 daemon forked for daemon-del-pidfile: 18486 14:30:13 18486 postfork: daemon-del-pidfile 14:30:13 18486 exec /usr/sbin/exim4 -C tmp/2023-09-20_exim_config.conf -d=0xfff9ffff -MCd daemon-del-pidfile -oPX exim: only uid=0 or uid=106 can use -oP and -oPX (uid=1000 euid=0 | 1000) 14:30:13 18477 search_tidyup called 14:30:13 18477 >>>>>>>>>>>>>>>> Exim pid=18477 (daemon) terminating with rc=0 >>>>>>>>>>>>>>>> I’m not quite sure how to phrase most of my thoughts about the issues I encountered during this whole process properly but I’ll try: 0) Running exim as a user without any config at all produces a very unspecific "permission denied" message that is completely uninformative: % exim -C /dev/null -v -bdf LOG: MAIN Warning: purging the environment. Suggested action: use keep_environment. exim: permission denied it gets better when adding a config with just exim_user defined: % cat tmp/2023-09-20_exim_config.conf exim_user = henk % exim -C tmp/2023-09-20_exim_config.conf -v -bdf LOG: MAIN Warning: purging the environment. Suggested action: use keep_environment. LOG: MAIN PANIC exim user lost privilege for using -C option LOG: MAIN Warning: No server certificate defined; will use a selfsigned one. Suggested action: either install a certificate or change tls_advertise_hosts option 7615 LOG: MAIN PANIC 7615 daemon_notifier_socket bind: Address already in use 7615 LOG: MAIN 7615 socket bind() to port 25 for address (any IPv6) failed: Permission denied: waiting 30s before trying again (9 more tries) I’m still unclear about what actually is the issue causing the "permission denied" error. Trying to drop root privileges and switching to the user it is configured (by compile-time options?) to run as? If so, it should IMHO not even try to do this. It already knows that it was started as an unprivileged user and that it drops its root privileges from being setuid because of -C, so I think it should just continue as if 'exim_user = the_current_user' was set. Again: my understanding of this case is very limited so far so my suggestion might be totally nonsensical. Maybe a message like "Exim has not been started by a user who is a member in one of the groups configured in the admin_groups setting. If you really intend to run exim as an unprivileged user, set the exim_user configuration variable accordingly." would be more useful to the user, if my understanding of the issue is correct. 1) with the config above with just exim_user set, invoking exim with '-d+all' also "works fine", i.e. not "debugging permission denied" error. So the same problem with suggesting a solution: I don’t really understand the problem, I think. It actually all boiled down to having 'exim_user' set to the current user. Having this figured out, exim started to give reasonably informative output about any other problems it encountered that lead to the config I posted at the top of this comment. -- You are receiving this mail because: You are on the CC list for the bug. -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/ ## unsubscribe (doesn't require an account): ## [email protected] ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
