[horde] [whups]: error on script pipe in postfix

Carsten horde-groupware at familie-lahme.de
Sun Mar 11 12:59:08 UTC 2018



Am 11.03.2018 um 13:07 schrieb Carsten:
>
>
> Am 11.03.2018 um 12:35 schrieb Carsten:
>>
>>
>> Am 10.03.2018 um 21:00 schrieb Jan Schneider:
>>>
>>> Zitat von Carsten <horde-groupware at familie-lahme.de>:
>>>
>>>> Am 10.03.2018 um 11:20 schrieb Jan Schneider:
>>>>>
>>>>> Zitat von Carsten <horde-groupware at familie-lahme.de>:
>>>>>
>>>>>> Am 09.03.2018 um 11:38 schrieb Jan Schneider:
>>>>>>>
>>>>>>> Zitat von Carsten <horde-groupware at familie-lahme.de>:
>>>>>>>
>>>>>>>> Hi all,
>>>>>>>>
>>>>>>>> I try the set up whups with automated ticket generation from 
>>>>>>>> mails.
>>>>>>>>
>>>>>>>> my postfix sends the incoming mail to the pipe, but returns 
>>>>>>>> such an error:
>>>>>>>>
>>>>>>>> Mar  8 12:40:38 derdapp004 postfix/local[30799]: 04C7040C4C: 
>>>>>>>> to=<whups at localhost>, orig_to=<whups@[mydn.tdl]>, relay=local, 
>>>>>>>> delay=0.58, delays=0.09/0.04/0/0.45, dsn=5.3.0, status=bounced 
>>>>>>>> (Command died with status 255: "/usr/bin/whups-mail-filter -g". 
>>>>>>>> Command output: PHP Warning: 
>>>>>>>> require_once(/usr/share/php/www/horde/whups/lib/Application.php): 
>>>>>>>> failed to open stream: No such file or directory in 
>>>>>>>> /usr/bin/whups-mail-filter on line 73 PHP Fatal error: 
>>>>>>>> require_once(): Failed opening required 
>>>>>>>> '/usr/share/php/www/horde/whups/lib/Application.php' 
>>>>>>>> (include_path='.:/usr/share/php:/usr/share/pear') in 
>>>>>>>> /usr/bin/whups-mail-filter on line 73 )
>>>>>>>>
>>>>>>>>
>>>>>>>> If I pipe with the local user (root) from the command line, it 
>>>>>>>> works perfect.
>>>>>>>> I guess it is about a missing environment o.s.
>>>>>>>>
>>>>>>>> Can somebody advice, pls?
>>>>>>>>
>>>>>>>> br
>>>>>>>> Carsten
>>>>>>>
>>>>>>> You have set the horde_dir configuration setting in PEAR only 
>>>>>>> for the user that installed Horde, not for the user that runs 
>>>>>>> the pipe. Either use the same user for both (web server user is 
>>>>>>> always a good choice), or set the PEAR configuration for the 
>>>>>>> other user too, or set the configuration globally:
>>>>>>> $ pear config-set -c horde horde_dir /real/path/to/horde
>>>>>>> $ pear config-set -c horde horde_dir /real/path/to/horde system
>>>>>>>
>>>>>>
>>>>>> Hmm... ok, I see.
>>>>>> Let's check:
>>>>>> that's the user, I installed horde with:
>>>>>> root at derdapp004 /etc/postfix # pear config-show -c horde|grep -i 
>>>>>> horde_dir
>>>>>> Base Horde directory           horde_dir /var/www/horde
>>>>>>
>>>>>> This is the user, the apache2 is running:
>>>>>> root at derdapp004 /etc/postfix # sudo -u www-data pear config-show 
>>>>>> -c horde|grep -i horde_dir
>>>>>> Base Horde directory           horde_dir /usr/share/php/www/horde
>>>>>>
>>>>>> And that's the postfix user:
>>>>>> root at derdapp004 /etc/postfix # sudo -u postfix pear config-show 
>>>>>> -c horde|grep -i horde_dir
>>>>>> Base Horde directory           horde_dir /usr/share/php/www/horde
>>>>>>
>>>>>>
>>>>>> ok. just to verify, the issue is still persistent, one test 
>>>>>> before the configuration change:
>>>>>> ##############
>>>>>> Mar  9 16:56:59 derdapp004 postfix/local[15222]: 117514085F: 
>>>>>> to=<whups at localhost>, orig_to=<whups@[mydn.tld]>, relay=local, 
>>>>>> delay=0.57, delays=0.08/0.04/0/0.46, dsn=5.3.0, status=bounced 
>>>>>> (Command died with status 255: "/usr/bin/whups-mail-filter -g". 
>>>>>> Command output: PHP Warning: 
>>>>>> require_once(/whups/lib/Application.php): failed to open stream: 
>>>>>> No such file or directory in /usr/bin/whups-mail-filter on line 
>>>>>> 73 PHP Fatal error: require_once(): Failed opening required 
>>>>>> '/whups/lib/Application.php' 
>>>>>> (include_path='.:/usr/share/php:/usr/share/pear') in 
>>>>>> /usr/bin/whups-mail-filter on line 73 )
>>>>>> ################
>>>>>>
>>>>>>
>>>>>> Now I configure postfix for the dir, as root has it set:
>>>>>> root at derdapp004 /etc/postfix # sudo -u postfix pear config-set -c 
>>>>>> horde horde_dir /var/www/horde
>>>>>> config-set (horde_dir, /var/www/horde, user) failed, channel 
>>>>>> pear.horde.org
>>>>>>
>>>>>> uups... ?!?
>>>>>> With that knowledge I searched again the all-knowing-heapdump and 
>>>>>> found other horde user having that issue -which is a pear-issue, 
>>>>>> not a horde issue.
>>>>>> Daemon user do not have a interactive profile, so You !_have_! to 
>>>>>> set it system wide from my point of view.
>>>>>>
>>>>>> root at derdapp004 /home # pear config-set -c horde horde_dir 
>>>>>> /var/www/horde system
>>>>>> config-set succeeded
>>>>>>
>>>>>> And again, we test:
>>>>>> ##########################
>>>>>> Mar  9 16:59:54 derdapp004 postfix/local[15508]: 4CC8340861: 
>>>>>> to=<whups at localhost>, orig_to=<whups@[mydn.tld]>, relay=local, 
>>>>>> delay=1, delays=0.06/0.03/0/0.95, dsn=5.3.0, status=bounced 
>>>>>> (Command died with status 1: "/usr/bin/whups-mail-filter -g". 
>>>>>> Command output: Fatal Error: No such backend "" found In 
>>>>>> /var/www/horde/whups/lib/Factory/Driver.php on line 46 1. 
>>>>>> Horde_Registry::appInit() 
>>>>>> /usr/bin/whups-mail-filter:74              2. 
>>>>>> Horde_Registry->pushApp() 
>>>>>> /usr/share/php/Horde/Registry.php:299      3. 
>>>>>> Horde_Registry->_pushAppError() 
>>>>>> /usr/share/php/Horde/Registry.php:1640 4. 
>>>>>> Horde_Registry::appInit() /usr/bin/whups-mail-filter:74 5. 
>>>>>> Horde_Registry->pushApp() 
>>>>>> /usr/share/php/Horde/Registry.php:299      6. 
>>>>>> Horde_Registry->callAppMethod() 
>>>>>> /usr/share/php/Horde/Registry.php:1635 7. call_user_func_array() 
>>>>>> /usr/share/php/Horde/Registry.php:1197 8. 
>>>>>> Horde_Registry_Application->init() 9. Whups_Application->_init() 
>>>>>> /usr/share/php/Horde/Registry/Application.php:117 10. 
>>>>>> Whups_Factory_Driver->create() 
>>>>>> /var/www/horde/whups/lib/Application.php:49 )
>>>>>>
>>>>>> ##########################
>>>>>>
>>>>>> Here is my test mail for better debugging:
>>>>>>
>>>>>> ##########################
>>>>>> root at derdapp001 ~ # sendmail whups@[mydn.tld]
>>>>>> subject: Monitoring: test ticket
>>>>>> data
>>>>>> Hello World
>>>>>> [CTRL]+d
>>>>>> ##########################
>>>>>>
>>>>>> Let's give it a try on the local command line as postfix user:
>>>>>> We create a little script:
>>>>>> #################################
>>>>>> 1 root at derdapp004 /tmp # cat testmail :(
>>>>>> #!/bin/bash
>>>>>> clear;
>>>>>> echo "Hi, my name is $(whoami)";
>>>>>> echo "from: root at derdapp001.[mydn.tld] _
>>>>>> to: whups@[mydn.tld] _
>>>>>> subject: Monitoring: test alert _
>>>>>>  _
>>>>>> hallo welt _
>>>>>>  _
>>>>>> "|whups-mail-filter -g -q monitoring;
>>>>>> ######################################
>>>>>>
>>>>>> now we fire it as postfix:
>>>>>> ####################################
>>>>>> root at derdapp004 /tmp # sudo -u postfix /tmp/testmail
>>>>>> learscreen]
>>>>>> Hi, my name is postfix
>>>>>>
>>>>>> Message from syslogd at derdapp004 at Mar  9 17:28:18 ...
>>>>>>  HORDE: No such backend "" found [pid 17708 on line 1679 of 
>>>>>> "/usr/share/php/Horde/Registry.php"]
>>>>>>
>>>>>>   Fatal Error:
>>>>>>   No such backend "" found
>>>>>>   In /var/www/horde/whups/lib/Factory/Driver.php on line 46
>>>>>>
>>>>>>    1. Horde_Registry::appInit() /usr/bin/whups-mail-filter:74
>>>>>>    2. Horde_Registry->pushApp() 
>>>>>> /usr/share/php/Horde/Registry.php:299
>>>>>>    3. Horde_Registry->_pushAppError()
>>>>>> /usr/share/php/Horde/Registry.php:1640
>>>>>>    4. Horde_Registry::appInit() /usr/bin/whups-mail-filter:74
>>>>>>    5. Horde_Registry->pushApp() 
>>>>>> /usr/share/php/Horde/Registry.php:299
>>>>>>    6. Horde_Registry->callAppMethod()
>>>>>> /usr/share/php/Horde/Registry.php:1635
>>>>>>    7. call_user_func_array() /usr/share/php/Horde/Registry.php:1197
>>>>>>    8. Horde_Registry_Application->init()
>>>>>>    9. Whups_Application->_init()
>>>>>> /usr/share/php/Horde/Registry/Application.php:117
>>>>>>   10. Whups_Factory_Driver->create()
>>>>>> /var/www/horde/whups/lib/Application.php:49
>>>>>> ###################################
>>>>>>
>>>>>> Ok, give it a try on the root user:
>>>>>>
>>>>>> #######################################
>>>>>> root at derdapp004 /tmp # ./testmail
>>>>>> [clearscreen]
>>>>>>
>>>>>> Hi, my name is root
>>>>>> Usage: whups-mail-filter [options]
>>>>>>
>>>>>> [bla bla bla]
>>>>>>
>>>>>>   Fatal Error:
>>>>>>   --queue-name or --queue-id must specify a valid and public queue.
>>>>>>      Available queues:
>>>>>>
>>>>>>   1. Horde_Cli->fatal() /usr/bin/whups-mail-filter:169
>>>>>>
>>>>>> ##########################################################
>>>>>>
>>>>>> WTF?!?!?
>>>>>>
>>>>>> Revert system pear setting:
>>>>>> ####################################
>>>>>> root at derdapp004 /tmp # pear config-set -c horde horde_dir '' system
>>>>>> config-set succeeded
>>>>>> ######################################
>>>>>> again, local root test:
>>>>>>
>>>>>> #############################
>>>>>> root at derdapp004 /tmp # ./testmail
>>>>>> [clearscreen]
>>>>>>
>>>>>> [bla bla bla]
>>>>>>
>>>>>>   Fatal Error:
>>>>>>   --queue-name or --queue-id must specify a valid and public queue.
>>>>>>      Available queues:
>>>>>>
>>>>>>   1. Horde_Cli->fatal() /usr/bin/whups-mail-filter:169
>>>>>>
>>>>>> ###################################
>>>>>>
>>>>>> ok, last try, we check with the www-data:
>>>>>>
>>>>>> ##############################
>>>>>> root at derdapp004 ~www # sudo -u www-data /tmp/testmail
>>>>>> [clearscreen]
>>>>>>
>>>>>> Hi, my name is www-data
>>>>>> root at derdapp004 ~www #
>>>>>> ##############################
>>>>>>
>>>>>>
>>>>>> Well... ok, what is now going on.
>>>>>> Permission check on queue has been done.
>>>>>> Full rights for guest (tuned up during debugging).
>>>>>> So what is wrong here?
>>>>>>
>>>>>> *confused*
>>>>>>
>>>>>> Carsten
>>>>>
>>>>> Two things to rule out:
>>>>>
>>>>> - Use -Q instead of -q
>>>>> - Try using -a
>>>>>
>>>> Hi,
>>>> ok, changed the script like this:
>>>> #################################
>>>> root at derdapp004 /tmp # cat testmail :(
>>>> #!/bin/bash
>>>> clear;
>>>> echo "Hi, my name is $(whoami)";
>>>> echo "from: root at derdapp001.[mydn.tld] _
>>>> to: whups@[mydn.tld] _
>>>> subject: Monitoring: test alert _
>>>>  _
>>>> hallo welt _
>>>>  _
>>>> "|whups-mail-filter -g -Q 5 -a carsten@[mydn.tld];
>>>> ###################################
>>>> Check root user: OK
>>>> Check www-data: OK
>>>> Check postfix: failed
>>>> ###############################
>>>> Hi, my name is postfix
>>>> PHP Warning: 
>>>> require_once(/var/www/horde/whups/lib/Application.php): failed to 
>>>> open stream: Permission denied in /usr/bin/whups-mail-filter on 
>>>> line 73
>>>> PHP Fatal error:  require_once(): Failed opening required 
>>>> '/var/www/horde/whups/lib/Application.php' 
>>>> (include_path='.:/usr/share/php:/usr/share/pear') in 
>>>> /usr/bin/whups-mail-filter on line 73
>>>> ###############################
>>>>
>>>> Can You specify which files to check for permission settings?
>>>> At the moment I have 744 on all directories at /var/www/horde
>>>> and 745 on all files in the structure -I know a little insecure, 
>>>> but it debugging time ;-)
>>>>
>>>> br
>>>> Carsten
>>>
>>> /var/www/horde/whups/lib/Application.php is the file that cannot be 
>>> opened due to permission problems.
>>>
>> Checked file permissions. As described above:
>>
>> ###################
>> #
>> root at derdapp004 ~www/horde/whups/lib # pwd
>> /var/www/horde/whups/lib
>> root at derdapp004 ~www/horde/whups/lib # ll Application.php
>> -rwxr--r-x 1 www-data root 9169 Mar  7 11:33 Application.php
>> ##
>> ##################
>>
>> Let's check, what would be the output of a call of that file:
>>
>> #################
>> ##
>> root at derdapp004 ~www/horde/whups/lib # php -f Application.php
>> root at derdapp004 ~www/horde/whups/lib #
>> ##
>> #################
>>
>> Now with postfix:
>>
>> #################
>> ##
>> root at derdapp004 ~www/horde # sudo -u postfix php -f 
>> /var/www/horde/whups/lib/Application.php
>> Could not open input file: /var/www/horde/whups/lib/Application.php
>> #
>> ##################
>>
>> Now I did a more intense check of the permissions, using
>>
>> ##############
>> ##
>> root at derdapp004 ~www/horde/whups/lib # sudo -u postfix ls 
>> /var/www/horde/whups/lib
>> ls: cannot access /var/www/horde/whups/lib: Permission denied
>> root at derdapp004 ~www/horde/whups/lib # cd /var/www/horde
>> root at derdapp004 ~www/horde # ll
>> total 136
>> [...snipp...]
>> drwxr--r-- 13 www-data root  4096 Mar  7 11:33 whups
>> ##
>> ##############
>>
>> and bingo, a thing, I will never understand in the LX permission 
>> context: You need execute to enter a directory
>> Thinking about RBAC I solved it with this:
>> 1st: create a group "www-horde"
>> 2nd: put user postfix into that group
>> 3rd: do a "chown -R www-data:www-horde /var/www/horde"
>> 4th: do a "chmod -R 750 /var/www/horde"
>> 5th: do another test:
>>
>> #################
>> ##
>> root at derdapp004 ~www/horde # sudo -u postfix /tmp/testmail
>> learscreen]
>> Hi, my name is postfix
>> root at derdapp004 ~www/horde #
>> ##
>> #################
>>
>> Ticket created!! And now: be happy.... ;-)
>>
>> Thanks for You patients and help!!
>>
>> br
>> Carsten
>
> ok, back, where we have started. I've forgotten the test using the mail:
> #######################
> ##
>
> <whups at localhost> (expanded from <whups@[mydn.tld]>): Command died with
>     status 255: "/usr/bin/whups-mail-filter -g -a carsten@[mydn.tld] -Q
>     5". Command output: PHP Warning:
>     require_once(/var/www/horde/whups/lib/Application.php): failed to 
> open
>     stream: Permission denied in /usr/bin/whups-mail-filter on line 73 
> PHP
>     Fatal error:  require_once(): Failed opening required
>     '/var/www/horde/whups/lib/Application.php'
>     (include_path='.:/usr/share/php:/usr/share/pear') in
>     /usr/bin/whups-mail-filter on line 73
>
> ##
> #######################
>
> *BöseFlüche*
>
> What else have I missed?
>
> br
> Carsten

I did some more research and found that:
"...
postfix/main.cf
default_privs (default: nobody)
The default rights used by the local(8) delivery agent for delivery to 
external file or command. These rights are used when delivery is 
requested from an aliases(5) file that is owned by root, or when 
delivery is done on behalf of root. DO NOT SPECIFY A PRIVILEGED USER OR 
THE POSTFIX OWNER.
..."

I added two lines to the whups-mail-filter like that:
"...
<?php
$shellex = shell_exec("logger INFO $(whoami)");
echo $shellex;
..."

Which returned this in the syslog:
"..
Mar 11 13:25:58 derdapp004 logger: INFO nobody
..."

So, we are back to the permissions.

1st: create a new user "postfix-pipe"
2nd: add it to the group "www-horde".
3rd: add "default_privs = postfix-pipe" to the main.cf
4th: do a postmap main.cf and a postfix reload
5th: do a command line check:
##############################
##
root at derdapp004 /etc # sudo -u postfix-pipe php -f 
/var/www/horde/whups/lib/Application.php
root at derdapp004 /etc #
##
##############################
=> works!

6th: do a mail check:
"...
Mar 11 13:54:39 derdapp004 logger: INFO postfix-pipe
Mar 11 13:54:40 derdapp004 postfix/local[32191]: A2D55415CC: 
to=<whups at localhost>, orig_to=<whups@[mydn.tld]>, relay=local, 
delay=0.61, delays=0.08/0.04/0/0.5, dsn=5.3.0, status=bounced (Command 
died with status 255: "/usr/bin/whups-mail-filter -g -a 
carsten@[mydn.tld] -Q 5". Command output: PHP Warning: 
require_once(/var/www/horde/whups/lib/Application.php): failed to open 
stream: Permission denied in /usr/bin/whups-mail-filter on line 76 PHP 
Fatal error:  require_once(): Failed opening required 
'/var/www/horde/whups/lib/Application.php' 
(include_path='.:/usr/share/php:/usr/share/pear') in 
/usr/bin/whups-mail-filter on line 76 )
..."
=> FAILS!!

now I am totaly off.......



More information about the horde mailing list