[horde] [whups]: error on script pipe in postfix

Carsten horde-groupware at familie-lahme.de
Sun Mar 11 20:32:03 UTC 2018



Am 11.03.2018 um 21:05 schrieb Jan Schneider:
>
> Zitat von Carsten <horde-groupware at familie-lahme.de>:
>
>> Am 11.03.2018 um 13:07 schrieb Carsten:
>>>
>>>
>>> Am 11.03.2018 um 12:35 schrieb Carsten:
>>>>
>>>>
>>>> Am 10.03.2018 um 21:00 schrieb Jan Schneider:
>>>>>
>>>>> Zitat von Carsten <horde-groupware at familie-lahme.de>:
>>>>>
>>>>>> Am 10.03.2018 um 11:20 schrieb Jan Schneider:
>>>>>>>
>>>>>>> Zitat von Carsten <horde-groupware at familie-lahme.de>:
>>>>>>>
>>>>>>>> Am 09.03.2018 um 11:38 schrieb Jan Schneider:
>>>>>>>>>
>>>>>>>>> Zitat von Carsten <horde-groupware at familie-lahme.de>:
>>>>>>>>>
>>>>>>>>>> Hi all,
>>>>>>>>>>
>>>>>>>>>> I try the set up whups with automated ticket generation from 
>>>>>>>>>> mails.
>>>>>>>>>>
>>>>>>>>>> my postfix sends the incoming mail to the pipe, but returns 
>>>>>>>>>> such an error:
>>>>>>>>>>
>>>>>>>>>> Mar  8 12:40:38 derdapp004 postfix/local[30799]: 04C7040C4C: 
>>>>>>>>>> to=<whups at localhost>, orig_to=<whups@[mydn.tdl]>, 
>>>>>>>>>> relay=local, delay=0.58, delays=0.09/0.04/0/0.45, dsn=5.3.0, 
>>>>>>>>>> status=bounced (Command died with status 255: 
>>>>>>>>>> "/usr/bin/whups-mail-filter -g". Command output: PHP Warning: 
>>>>>>>>>> require_once(/usr/share/php/www/horde/whups/lib/Application.php): 
>>>>>>>>>> failed to open stream: No such file or directory in 
>>>>>>>>>> /usr/bin/whups-mail-filter on line 73 PHP Fatal error: 
>>>>>>>>>> require_once(): Failed opening required 
>>>>>>>>>> '/usr/share/php/www/horde/whups/lib/Application.php' 
>>>>>>>>>> (include_path='.:/usr/share/php:/usr/share/pear') in 
>>>>>>>>>> /usr/bin/whups-mail-filter on line 73 )
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> If I pipe with the local user (root) from the command line, 
>>>>>>>>>> it works perfect.
>>>>>>>>>> I guess it is about a missing environment o.s.
>>>>>>>>>>
>>>>>>>>>> Can somebody advice, pls?
>>>>>>>>>>
>>>>>>>>>> br
>>>>>>>>>> Carsten
>>>>>>>>>
>>>>>>>>> You have set the horde_dir configuration setting in PEAR only 
>>>>>>>>> for the user that installed Horde, not for the user that runs 
>>>>>>>>> the pipe. Either use the same user for both (web server user 
>>>>>>>>> is always a good choice), or set the PEAR configuration for 
>>>>>>>>> the other user too, or set the configuration globally:
>>>>>>>>> $ pear config-set -c horde horde_dir /real/path/to/horde
>>>>>>>>> $ pear config-set -c horde horde_dir /real/path/to/horde system
>>>>>>>>>
>>>>>>>>
>>>>>>>> Hmm... ok, I see.
>>>>>>>> Let's check:
>>>>>>>> that's the user, I installed horde with:
>>>>>>>> root at derdapp004 /etc/postfix # pear config-show -c horde|grep 
>>>>>>>> -i horde_dir
>>>>>>>> Base Horde directory           horde_dir /var/www/horde
>>>>>>>>
>>>>>>>> This is the user, the apache2 is running:
>>>>>>>> root at derdapp004 /etc/postfix # sudo -u www-data pear 
>>>>>>>> config-show -c horde|grep -i horde_dir
>>>>>>>> Base Horde directory           horde_dir /usr/share/php/www/horde
>>>>>>>>
>>>>>>>> And that's the postfix user:
>>>>>>>> root at derdapp004 /etc/postfix # sudo -u postfix pear config-show 
>>>>>>>> -c horde|grep -i horde_dir
>>>>>>>> Base Horde directory           horde_dir /usr/share/php/www/horde
>>>>>>>>
>>>>>>>>
>>>>>>>> ok. just to verify, the issue is still persistent, one test 
>>>>>>>> before the configuration change:
>>>>>>>> ##############
>>>>>>>> Mar  9 16:56:59 derdapp004 postfix/local[15222]: 117514085F: 
>>>>>>>> to=<whups at localhost>, orig_to=<whups@[mydn.tld]>, relay=local, 
>>>>>>>> delay=0.57, delays=0.08/0.04/0/0.46, dsn=5.3.0, status=bounced 
>>>>>>>> (Command died with status 255: "/usr/bin/whups-mail-filter -g". 
>>>>>>>> Command output: PHP Warning: 
>>>>>>>> require_once(/whups/lib/Application.php): failed to open 
>>>>>>>> stream: No such file or directory in /usr/bin/whups-mail-filter 
>>>>>>>> on line 73 PHP Fatal error: require_once(): Failed opening 
>>>>>>>> required '/whups/lib/Application.php' 
>>>>>>>> (include_path='.:/usr/share/php:/usr/share/pear') in 
>>>>>>>> /usr/bin/whups-mail-filter on line 73 )
>>>>>>>> ################
>>>>>>>>
>>>>>>>>
>>>>>>>> Now I configure postfix for the dir, as root has it set:
>>>>>>>> root at derdapp004 /etc/postfix # sudo -u postfix pear config-set 
>>>>>>>> -c horde horde_dir /var/www/horde
>>>>>>>> config-set (horde_dir, /var/www/horde, user) failed, channel 
>>>>>>>> pear.horde.org
>>>>>>>>
>>>>>>>> uups... ?!?
>>>>>>>> With that knowledge I searched again the all-knowing-heapdump 
>>>>>>>> and found other horde user having that issue -which is a 
>>>>>>>> pear-issue, not a horde issue.
>>>>>>>> Daemon user do not have a interactive profile, so You !_have_! 
>>>>>>>> to set it system wide from my point of view.
>>>>>>>>
>>>>>>>> root at derdapp004 /home # pear config-set -c horde horde_dir 
>>>>>>>> /var/www/horde system
>>>>>>>> config-set succeeded
>>>>>>>>
>>>>>>>> And again, we test:
>>>>>>>> ##########################
>>>>>>>> Mar  9 16:59:54 derdapp004 postfix/local[15508]: 4CC8340861: 
>>>>>>>> to=<whups at localhost>, orig_to=<whups@[mydn.tld]>, relay=local, 
>>>>>>>> delay=1, delays=0.06/0.03/0/0.95, dsn=5.3.0, status=bounced 
>>>>>>>> (Command died with status 1: "/usr/bin/whups-mail-filter -g". 
>>>>>>>> Command output: Fatal Error: No such backend "" found In 
>>>>>>>> /var/www/horde/whups/lib/Factory/Driver.php on line 46 1. 
>>>>>>>> Horde_Registry::appInit() 
>>>>>>>> /usr/bin/whups-mail-filter:74              2. 
>>>>>>>> Horde_Registry->pushApp() 
>>>>>>>> /usr/share/php/Horde/Registry.php:299      3. 
>>>>>>>> Horde_Registry->_pushAppError() 
>>>>>>>> /usr/share/php/Horde/Registry.php:1640 4. 
>>>>>>>> Horde_Registry::appInit() /usr/bin/whups-mail-filter:74 5. 
>>>>>>>> Horde_Registry->pushApp() 
>>>>>>>> /usr/share/php/Horde/Registry.php:299      6. 
>>>>>>>> Horde_Registry->callAppMethod() 
>>>>>>>> /usr/share/php/Horde/Registry.php:1635 7. 
>>>>>>>> call_user_func_array() /usr/share/php/Horde/Registry.php:1197 
>>>>>>>> 8. Horde_Registry_Application->init() 9. 
>>>>>>>> Whups_Application->_init() 
>>>>>>>> /usr/share/php/Horde/Registry/Application.php:117 10. 
>>>>>>>> Whups_Factory_Driver->create() 
>>>>>>>> /var/www/horde/whups/lib/Application.php:49 )
>>>>>>>>
>>>>>>>> ##########################
>>>>>>>>
>>>>>>>> Here is my test mail for better debugging:
>>>>>>>>
>>>>>>>> ##########################
>>>>>>>> root at derdapp001 ~ # sendmail whups@[mydn.tld]
>>>>>>>> subject: Monitoring: test ticket
>>>>>>>> data
>>>>>>>> Hello World
>>>>>>>> [CTRL]+d
>>>>>>>> ##########################
>>>>>>>>
>>>>>>>> Let's give it a try on the local command line as postfix user:
>>>>>>>> We create a little script:
>>>>>>>> #################################
>>>>>>>> 1 root at derdapp004 /tmp # cat testmail :(
>>>>>>>> #!/bin/bash
>>>>>>>> clear;
>>>>>>>> echo "Hi, my name is $(whoami)";
>>>>>>>> echo "from: root at derdapp001.[mydn.tld] _
>>>>>>>> to: whups@[mydn.tld] _
>>>>>>>> subject: Monitoring: test alert _
>>>>>>>>  _
>>>>>>>> hallo welt _
>>>>>>>>  _
>>>>>>>> "|whups-mail-filter -g -q monitoring;
>>>>>>>> ######################################
>>>>>>>>
>>>>>>>> now we fire it as postfix:
>>>>>>>> ####################################
>>>>>>>> root at derdapp004 /tmp # sudo -u postfix /tmp/testmail
>>>>>>>> learscreen]
>>>>>>>> Hi, my name is postfix
>>>>>>>>
>>>>>>>> Message from syslogd at derdapp004 at Mar  9 17:28:18 ...
>>>>>>>>  HORDE: No such backend "" found [pid 17708 on line 1679 of 
>>>>>>>> "/usr/share/php/Horde/Registry.php"]
>>>>>>>>
>>>>>>>>   Fatal Error:
>>>>>>>>   No such backend "" found
>>>>>>>>   In /var/www/horde/whups/lib/Factory/Driver.php on line 46
>>>>>>>>
>>>>>>>>    1. Horde_Registry::appInit() /usr/bin/whups-mail-filter:74
>>>>>>>>    2. Horde_Registry->pushApp() 
>>>>>>>> /usr/share/php/Horde/Registry.php:299
>>>>>>>>    3. Horde_Registry->_pushAppError()
>>>>>>>> /usr/share/php/Horde/Registry.php:1640
>>>>>>>>    4. Horde_Registry::appInit() /usr/bin/whups-mail-filter:74
>>>>>>>>    5. Horde_Registry->pushApp() 
>>>>>>>> /usr/share/php/Horde/Registry.php:299
>>>>>>>>    6. Horde_Registry->callAppMethod()
>>>>>>>> /usr/share/php/Horde/Registry.php:1635
>>>>>>>>    7. call_user_func_array() 
>>>>>>>> /usr/share/php/Horde/Registry.php:1197
>>>>>>>>    8. Horde_Registry_Application->init()
>>>>>>>>    9. Whups_Application->_init()
>>>>>>>> /usr/share/php/Horde/Registry/Application.php:117
>>>>>>>>   10. Whups_Factory_Driver->create()
>>>>>>>> /var/www/horde/whups/lib/Application.php:49
>>>>>>>> ###################################
>>>>>>>>
>>>>>>>> Ok, give it a try on the root user:
>>>>>>>>
>>>>>>>> #######################################
>>>>>>>> root at derdapp004 /tmp # ./testmail
>>>>>>>> [clearscreen]
>>>>>>>>
>>>>>>>> Hi, my name is root
>>>>>>>> Usage: whups-mail-filter [options]
>>>>>>>>
>>>>>>>> [bla bla bla]
>>>>>>>>
>>>>>>>>   Fatal Error:
>>>>>>>>   --queue-name or --queue-id must specify a valid and public 
>>>>>>>> queue.
>>>>>>>>      Available queues:
>>>>>>>>
>>>>>>>>   1. Horde_Cli->fatal() /usr/bin/whups-mail-filter:169
>>>>>>>>
>>>>>>>> ##########################################################
>>>>>>>>
>>>>>>>> WTF?!?!?
>>>>>>>>
>>>>>>>> Revert system pear setting:
>>>>>>>> ####################################
>>>>>>>> root at derdapp004 /tmp # pear config-set -c horde horde_dir '' 
>>>>>>>> system
>>>>>>>> config-set succeeded
>>>>>>>> ######################################
>>>>>>>> again, local root test:
>>>>>>>>
>>>>>>>> #############################
>>>>>>>> root at derdapp004 /tmp # ./testmail
>>>>>>>> [clearscreen]
>>>>>>>>
>>>>>>>> [bla bla bla]
>>>>>>>>
>>>>>>>>   Fatal Error:
>>>>>>>>   --queue-name or --queue-id must specify a valid and public 
>>>>>>>> queue.
>>>>>>>>      Available queues:
>>>>>>>>
>>>>>>>>   1. Horde_Cli->fatal() /usr/bin/whups-mail-filter:169
>>>>>>>>
>>>>>>>> ###################################
>>>>>>>>
>>>>>>>> ok, last try, we check with the www-data:
>>>>>>>>
>>>>>>>> ##############################
>>>>>>>> root at derdapp004 ~www # sudo -u www-data /tmp/testmail
>>>>>>>> [clearscreen]
>>>>>>>>
>>>>>>>> Hi, my name is www-data
>>>>>>>> root at derdapp004 ~www #
>>>>>>>> ##############################
>>>>>>>>
>>>>>>>>
>>>>>>>> Well... ok, what is now going on.
>>>>>>>> Permission check on queue has been done.
>>>>>>>> Full rights for guest (tuned up during debugging).
>>>>>>>> So what is wrong here?
>>>>>>>>
>>>>>>>> *confused*
>>>>>>>>
>>>>>>>> Carsten
>>>>>>>
>>>>>>> Two things to rule out:
>>>>>>>
>>>>>>> - Use -Q instead of -q
>>>>>>> - Try using -a
>>>>>>>
>>>>>> Hi,
>>>>>> ok, changed the script like this:
>>>>>> #################################
>>>>>> root at derdapp004 /tmp # cat testmail :(
>>>>>> #!/bin/bash
>>>>>> clear;
>>>>>> echo "Hi, my name is $(whoami)";
>>>>>> echo "from: root at derdapp001.[mydn.tld] _
>>>>>> to: whups@[mydn.tld] _
>>>>>> subject: Monitoring: test alert _
>>>>>>  _
>>>>>> hallo welt _
>>>>>>  _
>>>>>> "|whups-mail-filter -g -Q 5 -a carsten@[mydn.tld];
>>>>>> ###################################
>>>>>> Check root user: OK
>>>>>> Check www-data: OK
>>>>>> Check postfix: failed
>>>>>> ###############################
>>>>>> Hi, my name is postfix
>>>>>> PHP Warning: 
>>>>>> require_once(/var/www/horde/whups/lib/Application.php): failed to 
>>>>>> open stream: Permission denied in /usr/bin/whups-mail-filter on 
>>>>>> line 73
>>>>>> PHP Fatal error:  require_once(): Failed opening required 
>>>>>> '/var/www/horde/whups/lib/Application.php' 
>>>>>> (include_path='.:/usr/share/php:/usr/share/pear') in 
>>>>>> /usr/bin/whups-mail-filter on line 73
>>>>>> ###############################
>>>>>>
>>>>>> Can You specify which files to check for permission settings?
>>>>>> At the moment I have 744 on all directories at /var/www/horde
>>>>>> and 745 on all files in the structure -I know a little insecure, 
>>>>>> but it debugging time ;-)
>>>>>>
>>>>>> br
>>>>>> Carsten
>>>>>
>>>>> /var/www/horde/whups/lib/Application.php is the file that cannot 
>>>>> be opened due to permission problems.
>>>>>
>>>> Checked file permissions. As described above:
>>>>
>>>> ###################
>>>> #
>>>> root at derdapp004 ~www/horde/whups/lib # pwd
>>>> /var/www/horde/whups/lib
>>>> root at derdapp004 ~www/horde/whups/lib # ll Application.php
>>>> -rwxr--r-x 1 www-data root 9169 Mar  7 11:33 Application.php
>>>> ##
>>>> ##################
>>>>
>>>> Let's check, what would be the output of a call of that file:
>>>>
>>>> #################
>>>> ##
>>>> root at derdapp004 ~www/horde/whups/lib # php -f Application.php
>>>> root at derdapp004 ~www/horde/whups/lib #
>>>> ##
>>>> #################
>>>>
>>>> Now with postfix:
>>>>
>>>> #################
>>>> ##
>>>> root at derdapp004 ~www/horde # sudo -u postfix php -f 
>>>> /var/www/horde/whups/lib/Application.php
>>>> Could not open input file: /var/www/horde/whups/lib/Application.php
>>>> #
>>>> ##################
>>>>
>>>> Now I did a more intense check of the permissions, using
>>>>
>>>> ##############
>>>> ##
>>>> root at derdapp004 ~www/horde/whups/lib # sudo -u postfix ls 
>>>> /var/www/horde/whups/lib
>>>> ls: cannot access /var/www/horde/whups/lib: Permission denied
>>>> root at derdapp004 ~www/horde/whups/lib # cd /var/www/horde
>>>> root at derdapp004 ~www/horde # ll
>>>> total 136
>>>> [...snipp...]
>>>> drwxr--r-- 13 www-data root  4096 Mar  7 11:33 whups
>>>> ##
>>>> ##############
>>>>
>>>> and bingo, a thing, I will never understand in the LX permission 
>>>> context: You need execute to enter a directory
>>>> Thinking about RBAC I solved it with this:
>>>> 1st: create a group "www-horde"
>>>> 2nd: put user postfix into that group
>>>> 3rd: do a "chown -R www-data:www-horde /var/www/horde"
>>>> 4th: do a "chmod -R 750 /var/www/horde"
>>>> 5th: do another test:
>>>>
>>>> #################
>>>> ##
>>>> root at derdapp004 ~www/horde # sudo -u postfix /tmp/testmail
>>>> learscreen]
>>>> Hi, my name is postfix
>>>> root at derdapp004 ~www/horde #
>>>> ##
>>>> #################
>>>>
>>>> Ticket created!! And now: be happy.... ;-)
>>>>
>>>> Thanks for You patients and help!!
>>>>
>>>> br
>>>> Carsten
>>>
>>> ok, back, where we have started. I've forgotten the test using the 
>>> mail:
>>> #######################
>>> ##
>>>
>>> <whups at localhost> (expanded from <whups@[mydn.tld]>): Command died with
>>>     status 255: "/usr/bin/whups-mail-filter -g -a carsten@[mydn.tld] -Q
>>>     5". Command output: PHP Warning:
>>>     require_once(/var/www/horde/whups/lib/Application.php): failed 
>>> to open
>>>     stream: Permission denied in /usr/bin/whups-mail-filter on line 
>>> 73 PHP
>>>     Fatal error:  require_once(): Failed opening required
>>>     '/var/www/horde/whups/lib/Application.php'
>>>     (include_path='.:/usr/share/php:/usr/share/pear') in
>>>     /usr/bin/whups-mail-filter on line 73
>>>
>>> ##
>>> #######################
>>>
>>> *BöseFlüche*
>>>
>>> What else have I missed?
>>>
>>> br
>>> Carsten
>>
>> I did some more research and found that:
>> "...
>> postfix/main.cf
>> default_privs (default: nobody)
>> The default rights used by the local(8) delivery agent for delivery 
>> to external file or command. These rights are used when delivery is 
>> requested from an aliases(5) file that is owned by root, or when 
>> delivery is done on behalf of root. DO NOT SPECIFY A PRIVILEGED USER 
>> OR THE POSTFIX OWNER.
>> ..."
>>
>> I added two lines to the whups-mail-filter like that:
>> "...
>> <?php
>> $shellex = shell_exec("logger INFO $(whoami)");
>> echo $shellex;
>> ..."
>>
>> Which returned this in the syslog:
>> "..
>> Mar 11 13:25:58 derdapp004 logger: INFO nobody
>> ..."
>>
>> So, we are back to the permissions.
>>
>> 1st: create a new user "postfix-pipe"
>> 2nd: add it to the group "www-horde".
>> 3rd: add "default_privs = postfix-pipe" to the main.cf
>> 4th: do a postmap main.cf and a postfix reload
>> 5th: do a command line check:
>> ##############################
>> ##
>> root at derdapp004 /etc # sudo -u postfix-pipe php -f 
>> /var/www/horde/whups/lib/Application.php
>> root at derdapp004 /etc #
>> ##
>> ##############################
>> => works!
>>
>> 6th: do a mail check:
>> "...
>> Mar 11 13:54:39 derdapp004 logger: INFO postfix-pipe
>> Mar 11 13:54:40 derdapp004 postfix/local[32191]: A2D55415CC: 
>> to=<whups at localhost>, orig_to=<whups@[mydn.tld]>, relay=local, 
>> delay=0.61, delays=0.08/0.04/0/0.5, dsn=5.3.0, status=bounced 
>> (Command died with status 255: "/usr/bin/whups-mail-filter -g -a 
>> carsten@[mydn.tld] -Q 5". Command output: PHP Warning: 
>> require_once(/var/www/horde/whups/lib/Application.php): failed to 
>> open stream: Permission denied in /usr/bin/whups-mail-filter on line 
>> 76 PHP Fatal error:  require_once(): Failed opening required 
>> '/var/www/horde/whups/lib/Application.php' 
>> (include_path='.:/usr/share/php:/usr/share/pear') in 
>> /usr/bin/whups-mail-filter on line 76 )
>> ..."
>> => FAILS!!
>>
>> now I am totaly off.......
>
> Did you check the permissions of all parent directories too?
>
I think, I did, but let's walk through:
Toplevel "var" looks ok (other = r and x):
###
root at derdapp004 ~www # cd /
root at derdapp004 / # ll
[...snip...]
drwxr-xr-x  14 root  root       4096 May  3  2017 var
###

Step into /var and check "www".
looks good, too.(other = r and x):
###
root at derdapp004 / # cd var
root at derdapp004 /var # ll
[...snip...]
drwxr-xr-x  4 root  root  4096 May  6  2017 www
###

Now into www to check "horde".
 From here we use group permission (www-horde = r and x)
###
oot at derdapp004 /var # cd www
root at derdapp004 ~www # ll
drwxr-x--- 24 www-data www-horde 4096 Mar  7 11:33 horde
###

Next below horde is "whups":
###
root at derdapp004 ~www # cd horde :(
root at derdapp004 ~www/horde # ll
[...snip...]
drwxr-x--- 13 www-data www-horde  4096 Mar  7 11:33 whups
###

Subfolder "lib":
###
oot at derdapp004 ~www/horde # cd whups
root at derdapp004 ~www/horde/whups # ll
[..snip..]
drwxr-x--- 14 www-data www-horde 4096 Mar  7 11:33 lib
###

and last but nor least the file itself:
###
root at derdapp004 ~www/horde/whups # cd lib
root at derdapp004 ~www/horde/whups/lib # ll
[...snip...]
-rwxr-x--- 1 www-data www-horde  9232 Mar 11 18:55 Application.php
###

I do not see any error from that point of view.

If I do a "chmod -R 777 *" through the horde structure, it works.
I have added the "whoami" lines to the "Application.php" and it returns 
"postfix-pipe" if executed successful.

I already checked for apparmor and selinux, but last is not active and 
first is only configured for mysql.
The server has been rebooted meanwhile, too, just to make sure the new 
user/group objects are loaded, but no change.
At the moment I am totally out of ideas, and a "777" is not really 
acceptable from my perspective.

Any idea, how to do a "strace" on whups-mail-filter?!

br
Carsten


More information about the horde mailing list