On 07/14/2016 05:19 PM, Fernando Rodriguez wrote: > On 07/13/2016 01:41 PM, wabe wrote: >> Fernando Rodriguez <cyklon...@gmail.com> wrote: > >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA256 >>> >>> On 07/13/2016 07:10 AM, Alan McKinnon wrote: >>>> On 12/07/2016 03:47, jens w wrote: >>>>> .procmailrc >>>>> :0 c >>>>> * !^X-Loop: n...@example.com >>>>> | formail -X "From:" | $HOME/bin/script.sh >>>>> >>>>> procmail.log >>>>> procmail: Executing " formail -X "From:" | $HOME/bin/script.sh >>>>> >>>>> for incoming mail, a script is executed. logfile has the same >>>>> entry as it is in other users. but the script do nothing. >>>>> >>>>> How executing a command as a nologin user? >>>>> >>>> >>>> >>>> You can't, not the way you are doing it. >>>> You want to launch a shell script for the user, but the user's >>>> shell is /sbin/nologin. This exits immediately without launching >>>> the script. >>>> >>>> Give the user a real shell. >>>> >>>> Alan >>>> >>> >>> I've been following this thread and thinking the same thing but >>> wasn't sure. >>> >>> What if you invoke the shell directly instead of the script, either: >>> /bin/sh -c "<path to script>" or /bin/sh -c "$(cat <script>)"? >>> >>> If procmail uses the system() call to launch the script it won't work >>> but if it uses fork()/exec() or similar I think that it should work. > >> I don't know how procmail is launching scripts so I don't know if >> that what I say now makes sense. :-) > >> I tested if another regular user (lets call him user1) can execute >> scripts that are owned by nologinuser. It works as long as the path >> and the script itself are readable and executable by user1. >> If the script is writing stuff into /home/nologinuser then it is >> also necessary that the home directory is writable by user1. > >> Of course user1 hasn't executed the script as nologinuser. I don't >> know if procmail is doing so. > >> -- >> Regards >> wabe > > > Yes, you can execute any scripts as long as you have permissions. A program > can use the exec() family of functions to do that. But if the program calls > the system() function or similar it will try to use the user shell to execute > the command. If the shell is nologin it will refuse to do so. > >
That's not actually true either. The system(3) function is defined to
create a child process using fork(2), then execute the specified command
using execl(3) as follows:
execl("/bin/sh", "sh", "-c", command, (char *) 0);
Note that this is not dependent on the user's normal shell, the shell
/bin/sh is *always* used.
--
Jonathan Callen
signature.asc
Description: OpenPGP digital signature
