On Tue, Apr 28, 2020 at 08:59:58AM +0100, Russell King via Exim-users wrote: > On Tue, Apr 28, 2020 at 10:38:13AM +0300, Evgeniy Berdnikov via Exim-users > wrote: > > Write a wrapper over /usr/sbin/sendmail which should start exim > > as root and with additional debug flags. > > I don't think that will work based on my testing so far. > > If exim is started as root, then the problem goes away (which is not > surprising because root can generally do anything, bypassing file > permissions.)
Root obeys file permissions, but generally it have more permissions than ordinary user. > That is the exact problem getting debug in this situation: you need > exim to be invoked as the user concerned to then drop privileges > back to an unprivileged user to then trigger the permission denied > error. However, you can't enable debug. Take one minute to think. User runs MTA as "/usr/sbin/sendmail -oi -t", passing argv[0..2] = ["/usr/sbin/sendmail", "-oi", "-t"]. You have to replace argv with ["-d+all", "-oi", "-t"] and run exim binary from other location, where it may stay with setuid bit. No magic here, no need for special priveleges, it can be done with 2 lines shell script: #!/bin/sh exec /usr/sbin/exim -d+all "$@" This script does not ever need to be setuid. -- Eugene Berdnikov -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/