[horde] [whups]: error on script pipe in postfix

Patrick Boutilier boutilpj at ednet.ns.ca
Mon Mar 12 12:36:50 UTC 2018


On 03/11/2018 08:52 PM, Carsten wrote:
> 
> 
> Am 11.03.2018 um 23:57 schrieb Jan Schneider:
>>
>> Zitat von Carsten <horde-groupware at familie-lahme.de>:
>>
>>> Am 11.03.2018 um 21:05 schrieb Jan Schneider:
>>>>
>>>> Zitat von Carsten <horde-groupware at familie-lahme.de>:
>>>>
>>>>> Am 11.03.2018 um 13:07 schrieb Carsten:
>>>>>>
>>>>>>
>>>>>> Am 11.03.2018 um 12:35 schrieb Carsten:
>>>>>>>
>>>>>>>
>>>>>>> Am 10.03.2018 um 21:00 schrieb Jan Schneider:
>>>>>>>>
>>>>>>>> Zitat von Carsten <horde-groupware at familie-lahme.de>:
>>>>>>>>
>>>>>>>>> Am 10.03.2018 um 11:20 schrieb Jan Schneider:
>>>>>>>>>>
>>>>>>>>>> Zitat von Carsten <horde-groupware at familie-lahme.de>:
>>>>>>>>>>
>>>>>>>>>>> Am 09.03.2018 um 11:38 schrieb Jan Schneider:
>>>>>>>>>>>>
>>>>>>>>>>>> Zitat von Carsten <horde-groupware at familie-lahme.de>:
>>>>>>>>>>>>
>>>>>>>>>>>>> Hi all,
>>>>>>>>>>>>>
>>>>>>>>>>>>> I try the set up whups with automated ticket generation 
>>>>>>>>>>>>> from mails.
>>>>>>>>>>>>>
>>>>>>>>>>>>> my postfix sends the incoming mail to the pipe, but returns 
>>>>>>>>>>>>> such an error:
>>>>>>>>>>>>>
>>>>>>>>>>>>> Mar  8 12:40:38 derdapp004 postfix/local[30799]: 
>>>>>>>>>>>>> 04C7040C4C: to=<whups at localhost>, 
>>>>>>>>>>>>> orig_to=<whups@[mydn.tdl]>, relay=local, delay=0.58, 
>>>>>>>>>>>>> delays=0.09/0.04/0/0.45, dsn=5.3.0, status=bounced (Command 
>>>>>>>>>>>>> died with status 255: "/usr/bin/whups-mail-filter -g". 
>>>>>>>>>>>>> Command output: PHP Warning: 
>>>>>>>>>>>>> require_once(/usr/share/php/www/horde/whups/lib/Application.php): 
>>>>>>>>>>>>> failed to open stream: No such file or directory in 
>>>>>>>>>>>>> /usr/bin/whups-mail-filter on line 73 PHP Fatal error: 
>>>>>>>>>>>>> require_once(): Failed opening required 
>>>>>>>>>>>>> '/usr/share/php/www/horde/whups/lib/Application.php' 
>>>>>>>>>>>>> (include_path='.:/usr/share/php:/usr/share/pear') in 
>>>>>>>>>>>>> /usr/bin/whups-mail-filter on line 73 )
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> If I pipe with the local user (root) from the command line, 
>>>>>>>>>>>>> it works perfect.
>>>>>>>>>>>>> I guess it is about a missing environment o.s.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Can somebody advice, pls?
>>>>>>>>>>>>>
>>>>>>>>>>>>> br
>>>>>>>>>>>>> Carsten
>>>>>>>>>>>>
>>>>>>>>>>>> You have set the horde_dir configuration setting in PEAR 
>>>>>>>>>>>> only for the user that installed Horde, not for the user 
>>>>>>>>>>>> that runs the pipe. Either use the same user for both (web 
>>>>>>>>>>>> server user is always a good choice), or set the PEAR 
>>>>>>>>>>>> configuration for the other user too, or set the 
>>>>>>>>>>>> configuration globally:
>>>>>>>>>>>> $ pear config-set -c horde horde_dir /real/path/to/horde
>>>>>>>>>>>> $ pear config-set -c horde horde_dir /real/path/to/horde system
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Hmm... ok, I see.
>>>>>>>>>>> Let's check:
>>>>>>>>>>> that's the user, I installed horde with:
>>>>>>>>>>> root at derdapp004 /etc/postfix # pear config-show -c horde|grep 
>>>>>>>>>>> -i horde_dir
>>>>>>>>>>> Base Horde directory           horde_dir /var/www/horde
>>>>>>>>>>>
>>>>>>>>>>> This is the user, the apache2 is running:
>>>>>>>>>>> root at derdapp004 /etc/postfix # sudo -u www-data pear 
>>>>>>>>>>> config-show -c horde|grep -i horde_dir
>>>>>>>>>>> Base Horde directory           horde_dir 
>>>>>>>>>>> /usr/share/php/www/horde
>>>>>>>>>>>
>>>>>>>>>>> And that's the postfix user:
>>>>>>>>>>> root at derdapp004 /etc/postfix # sudo -u postfix pear 
>>>>>>>>>>> config-show -c horde|grep -i horde_dir
>>>>>>>>>>> Base Horde directory           horde_dir 
>>>>>>>>>>> /usr/share/php/www/horde
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> ok. just to verify, the issue is still persistent, one test 
>>>>>>>>>>> before the configuration change:
>>>>>>>>>>> ##############
>>>>>>>>>>> Mar  9 16:56:59 derdapp004 postfix/local[15222]: 117514085F: 
>>>>>>>>>>> to=<whups at localhost>, orig_to=<whups@[mydn.tld]>, 
>>>>>>>>>>> relay=local, delay=0.57, delays=0.08/0.04/0/0.46, dsn=5.3.0, 
>>>>>>>>>>> status=bounced (Command died with status 255: 
>>>>>>>>>>> "/usr/bin/whups-mail-filter -g". Command output: PHP Warning: 
>>>>>>>>>>> require_once(/whups/lib/Application.php): failed to open 
>>>>>>>>>>> stream: No such file or directory in 
>>>>>>>>>>> /usr/bin/whups-mail-filter on line 73 PHP Fatal error: 
>>>>>>>>>>> require_once(): Failed opening required 
>>>>>>>>>>> '/whups/lib/Application.php' 
>>>>>>>>>>> (include_path='.:/usr/share/php:/usr/share/pear') in 
>>>>>>>>>>> /usr/bin/whups-mail-filter on line 73 )
>>>>>>>>>>> ################
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Now I configure postfix for the dir, as root has it set:
>>>>>>>>>>> root at derdapp004 /etc/postfix # sudo -u postfix pear 
>>>>>>>>>>> config-set -c horde horde_dir /var/www/horde
>>>>>>>>>>> config-set (horde_dir, /var/www/horde, user) failed, channel 
>>>>>>>>>>> pear.horde.org
>>>>>>>>>>>
>>>>>>>>>>> uups... ?!?
>>>>>>>>>>> With that knowledge I searched again the all-knowing-heapdump 
>>>>>>>>>>> and found other horde user having that issue -which is a 
>>>>>>>>>>> pear-issue, not a horde issue.
>>>>>>>>>>> Daemon user do not have a interactive profile, so You 
>>>>>>>>>>> !_have_! to set it system wide from my point of view.
>>>>>>>>>>>
>>>>>>>>>>> root at derdapp004 /home # pear config-set -c horde horde_dir 
>>>>>>>>>>> /var/www/horde system
>>>>>>>>>>> config-set succeeded
>>>>>>>>>>>
>>>>>>>>>>> And again, we test:
>>>>>>>>>>> ##########################
>>>>>>>>>>> Mar  9 16:59:54 derdapp004 postfix/local[15508]: 4CC8340861: 
>>>>>>>>>>> to=<whups at localhost>, orig_to=<whups@[mydn.tld]>, 
>>>>>>>>>>> relay=local, delay=1, delays=0.06/0.03/0/0.95, dsn=5.3.0, 
>>>>>>>>>>> status=bounced (Command died with status 1: 
>>>>>>>>>>> "/usr/bin/whups-mail-filter -g". Command output: Fatal Error: 
>>>>>>>>>>> No such backend "" found In 
>>>>>>>>>>> /var/www/horde/whups/lib/Factory/Driver.php on line 46 1. 
>>>>>>>>>>> Horde_Registry::appInit() 
>>>>>>>>>>> /usr/bin/whups-mail-filter:74              2. 
>>>>>>>>>>> Horde_Registry->pushApp() 
>>>>>>>>>>> /usr/share/php/Horde/Registry.php:299      3. 
>>>>>>>>>>> Horde_Registry->_pushAppError() 
>>>>>>>>>>> /usr/share/php/Horde/Registry.php:1640 4. 
>>>>>>>>>>> Horde_Registry::appInit() /usr/bin/whups-mail-filter:74 5. 
>>>>>>>>>>> Horde_Registry->pushApp() 
>>>>>>>>>>> /usr/share/php/Horde/Registry.php:299      6. 
>>>>>>>>>>> Horde_Registry->callAppMethod() 
>>>>>>>>>>> /usr/share/php/Horde/Registry.php:1635 7. 
>>>>>>>>>>> call_user_func_array() /usr/share/php/Horde/Registry.php:1197 
>>>>>>>>>>> 8. Horde_Registry_Application->init() 9. 
>>>>>>>>>>> Whups_Application->_init() 
>>>>>>>>>>> /usr/share/php/Horde/Registry/Application.php:117 10. 
>>>>>>>>>>> Whups_Factory_Driver->create() 
>>>>>>>>>>> /var/www/horde/whups/lib/Application.php:49 )
>>>>>>>>>>>
>>>>>>>>>>> ##########################
>>>>>>>>>>>
>>>>>>>>>>> Here is my test mail for better debugging:
>>>>>>>>>>>
>>>>>>>>>>> ##########################
>>>>>>>>>>> root at derdapp001 ~ # sendmail whups@[mydn.tld]
>>>>>>>>>>> subject: Monitoring: test ticket
>>>>>>>>>>> data
>>>>>>>>>>> Hello World
>>>>>>>>>>> [CTRL]+d
>>>>>>>>>>> ##########################
>>>>>>>>>>>
>>>>>>>>>>> Let's give it a try on the local command line as postfix user:
>>>>>>>>>>> We create a little script:
>>>>>>>>>>> #################################
>>>>>>>>>>> 1 root at derdapp004 /tmp # cat testmail :(
>>>>>>>>>>> #!/bin/bash
>>>>>>>>>>> clear;
>>>>>>>>>>> echo "Hi, my name is $(whoami)";
>>>>>>>>>>> echo "from: root at derdapp001.[mydn.tld] _
>>>>>>>>>>> to: whups@[mydn.tld] _
>>>>>>>>>>> subject: Monitoring: test alert _
>>>>>>>>>>>  _
>>>>>>>>>>> hallo welt _
>>>>>>>>>>>  _
>>>>>>>>>>> "|whups-mail-filter -g -q monitoring;
>>>>>>>>>>> ######################################
>>>>>>>>>>>
>>>>>>>>>>> now we fire it as postfix:
>>>>>>>>>>> ####################################
>>>>>>>>>>> root at derdapp004 /tmp # sudo -u postfix /tmp/testmail
>>>>>>>>>>> learscreen]
>>>>>>>>>>> Hi, my name is postfix
>>>>>>>>>>>
>>>>>>>>>>> Message from syslogd at derdapp004 at Mar  9 17:28:18 ...
>>>>>>>>>>>  HORDE: No such backend "" found [pid 17708 on line 1679 of 
>>>>>>>>>>> "/usr/share/php/Horde/Registry.php"]
>>>>>>>>>>>
>>>>>>>>>>>   Fatal Error:
>>>>>>>>>>>   No such backend "" found
>>>>>>>>>>>   In /var/www/horde/whups/lib/Factory/Driver.php on line 46
>>>>>>>>>>>
>>>>>>>>>>>    1. Horde_Registry::appInit() /usr/bin/whups-mail-filter:74
>>>>>>>>>>>    2. Horde_Registry->pushApp() 
>>>>>>>>>>> /usr/share/php/Horde/Registry.php:299
>>>>>>>>>>>    3. Horde_Registry->_pushAppError()
>>>>>>>>>>> /usr/share/php/Horde/Registry.php:1640
>>>>>>>>>>>    4. Horde_Registry::appInit() /usr/bin/whups-mail-filter:74
>>>>>>>>>>>    5. Horde_Registry->pushApp() 
>>>>>>>>>>> /usr/share/php/Horde/Registry.php:299
>>>>>>>>>>>    6. Horde_Registry->callAppMethod()
>>>>>>>>>>> /usr/share/php/Horde/Registry.php:1635
>>>>>>>>>>>    7. call_user_func_array() 
>>>>>>>>>>> /usr/share/php/Horde/Registry.php:1197
>>>>>>>>>>>    8. Horde_Registry_Application->init()
>>>>>>>>>>>    9. Whups_Application->_init()
>>>>>>>>>>> /usr/share/php/Horde/Registry/Application.php:117
>>>>>>>>>>>   10. Whups_Factory_Driver->create()
>>>>>>>>>>> /var/www/horde/whups/lib/Application.php:49
>>>>>>>>>>> ###################################
>>>>>>>>>>>
>>>>>>>>>>> Ok, give it a try on the root user:
>>>>>>>>>>>
>>>>>>>>>>> #######################################
>>>>>>>>>>> root at derdapp004 /tmp # ./testmail
>>>>>>>>>>> [clearscreen]
>>>>>>>>>>>
>>>>>>>>>>> Hi, my name is root
>>>>>>>>>>> Usage: whups-mail-filter [options]
>>>>>>>>>>>
>>>>>>>>>>> [bla bla bla]
>>>>>>>>>>>
>>>>>>>>>>>   Fatal Error:
>>>>>>>>>>>   --queue-name or --queue-id must specify a valid and public 
>>>>>>>>>>> queue.
>>>>>>>>>>>      Available queues:
>>>>>>>>>>>
>>>>>>>>>>>   1. Horde_Cli->fatal() /usr/bin/whups-mail-filter:169
>>>>>>>>>>>
>>>>>>>>>>> ##########################################################
>>>>>>>>>>>
>>>>>>>>>>> WTF?!?!?
>>>>>>>>>>>
>>>>>>>>>>> Revert system pear setting:
>>>>>>>>>>> ####################################
>>>>>>>>>>> root at derdapp004 /tmp # pear config-set -c horde horde_dir '' 
>>>>>>>>>>> system
>>>>>>>>>>> config-set succeeded
>>>>>>>>>>> ######################################
>>>>>>>>>>> again, local root test:
>>>>>>>>>>>
>>>>>>>>>>> #############################
>>>>>>>>>>> root at derdapp004 /tmp # ./testmail
>>>>>>>>>>> [clearscreen]
>>>>>>>>>>>
>>>>>>>>>>> [bla bla bla]
>>>>>>>>>>>
>>>>>>>>>>>   Fatal Error:
>>>>>>>>>>>   --queue-name or --queue-id must specify a valid and public 
>>>>>>>>>>> queue.
>>>>>>>>>>>      Available queues:
>>>>>>>>>>>
>>>>>>>>>>>   1. Horde_Cli->fatal() /usr/bin/whups-mail-filter:169
>>>>>>>>>>>
>>>>>>>>>>> ###################################
>>>>>>>>>>>
>>>>>>>>>>> ok, last try, we check with the www-data:
>>>>>>>>>>>
>>>>>>>>>>> ##############################
>>>>>>>>>>> root at derdapp004 ~www # sudo -u www-data /tmp/testmail
>>>>>>>>>>> [clearscreen]
>>>>>>>>>>>
>>>>>>>>>>> Hi, my name is www-data
>>>>>>>>>>> root at derdapp004 ~www #
>>>>>>>>>>> ##############################
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Well... ok, what is now going on.
>>>>>>>>>>> Permission check on queue has been done.
>>>>>>>>>>> Full rights for guest (tuned up during debugging).
>>>>>>>>>>> So what is wrong here?
>>>>>>>>>>>
>>>>>>>>>>> *confused*
>>>>>>>>>>>
>>>>>>>>>>> Carsten
>>>>>>>>>>
>>>>>>>>>> Two things to rule out:
>>>>>>>>>>
>>>>>>>>>> - Use -Q instead of -q
>>>>>>>>>> - Try using -a
>>>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>> ok, changed the script like this:
>>>>>>>>> #################################
>>>>>>>>> root at derdapp004 /tmp # cat testmail :(
>>>>>>>>> #!/bin/bash
>>>>>>>>> clear;
>>>>>>>>> echo "Hi, my name is $(whoami)";
>>>>>>>>> echo "from: root at derdapp001.[mydn.tld] _
>>>>>>>>> to: whups@[mydn.tld] _
>>>>>>>>> subject: Monitoring: test alert _
>>>>>>>>>  _
>>>>>>>>> hallo welt _
>>>>>>>>>  _
>>>>>>>>> "|whups-mail-filter -g -Q 5 -a carsten@[mydn.tld];
>>>>>>>>> ###################################
>>>>>>>>> Check root user: OK
>>>>>>>>> Check www-data: OK
>>>>>>>>> Check postfix: failed
>>>>>>>>> ###############################
>>>>>>>>> Hi, my name is postfix
>>>>>>>>> PHP Warning: 
>>>>>>>>> require_once(/var/www/horde/whups/lib/Application.php): failed 
>>>>>>>>> to open stream: Permission denied in /usr/bin/whups-mail-filter 
>>>>>>>>> on line 73
>>>>>>>>> PHP Fatal error:  require_once(): Failed opening required 
>>>>>>>>> '/var/www/horde/whups/lib/Application.php' 
>>>>>>>>> (include_path='.:/usr/share/php:/usr/share/pear') in 
>>>>>>>>> /usr/bin/whups-mail-filter on line 73
>>>>>>>>> ###############################
>>>>>>>>>
>>>>>>>>> Can You specify which files to check for permission settings?
>>>>>>>>> At the moment I have 744 on all directories at /var/www/horde
>>>>>>>>> and 745 on all files in the structure -I know a little 
>>>>>>>>> insecure, but it debugging time ;-)
>>>>>>>>>
>>>>>>>>> br
>>>>>>>>> Carsten
>>>>>>>>
>>>>>>>> /var/www/horde/whups/lib/Application.php is the file that cannot 
>>>>>>>> be opened due to permission problems.
>>>>>>>>
>>>>>>> Checked file permissions. As described above:
>>>>>>>
>>>>>>> ###################
>>>>>>> #
>>>>>>> root at derdapp004 ~www/horde/whups/lib # pwd
>>>>>>> /var/www/horde/whups/lib
>>>>>>> root at derdapp004 ~www/horde/whups/lib # ll Application.php
>>>>>>> -rwxr--r-x 1 www-data root 9169 Mar  7 11:33 Application.php
>>>>>>> ##
>>>>>>> ##################
>>>>>>>
>>>>>>> Let's check, what would be the output of a call of that file:
>>>>>>>
>>>>>>> #################
>>>>>>> ##
>>>>>>> root at derdapp004 ~www/horde/whups/lib # php -f Application.php
>>>>>>> root at derdapp004 ~www/horde/whups/lib #
>>>>>>> ##
>>>>>>> #################
>>>>>>>
>>>>>>> Now with postfix:
>>>>>>>
>>>>>>> #################
>>>>>>> ##
>>>>>>> root at derdapp004 ~www/horde # sudo -u postfix php -f 
>>>>>>> /var/www/horde/whups/lib/Application.php
>>>>>>> Could not open input file: /var/www/horde/whups/lib/Application.php
>>>>>>> #
>>>>>>> ##################
>>>>>>>
>>>>>>> Now I did a more intense check of the permissions, using
>>>>>>>
>>>>>>> ##############
>>>>>>> ##
>>>>>>> root at derdapp004 ~www/horde/whups/lib # sudo -u postfix ls 
>>>>>>> /var/www/horde/whups/lib
>>>>>>> ls: cannot access /var/www/horde/whups/lib: Permission denied
>>>>>>> root at derdapp004 ~www/horde/whups/lib # cd /var/www/horde
>>>>>>> root at derdapp004 ~www/horde # ll
>>>>>>> total 136
>>>>>>> [...snipp...]
>>>>>>> drwxr--r-- 13 www-data root  4096 Mar  7 11:33 whups
>>>>>>> ##
>>>>>>> ##############
>>>>>>>
>>>>>>> and bingo, a thing, I will never understand in the LX permission 
>>>>>>> context: You need execute to enter a directory
>>>>>>> Thinking about RBAC I solved it with this:
>>>>>>> 1st: create a group "www-horde"
>>>>>>> 2nd: put user postfix into that group
>>>>>>> 3rd: do a "chown -R www-data:www-horde /var/www/horde"
>>>>>>> 4th: do a "chmod -R 750 /var/www/horde"
>>>>>>> 5th: do another test:
>>>>>>>
>>>>>>> #################
>>>>>>> ##
>>>>>>> root at derdapp004 ~www/horde # sudo -u postfix /tmp/testmail
>>>>>>> learscreen]
>>>>>>> Hi, my name is postfix
>>>>>>> root at derdapp004 ~www/horde #
>>>>>>> ##
>>>>>>> #################
>>>>>>>
>>>>>>> Ticket created!! And now: be happy.... ;-)
>>>>>>>
>>>>>>> Thanks for You patients and help!!
>>>>>>>
>>>>>>> br
>>>>>>> Carsten
>>>>>>
>>>>>> ok, back, where we have started. I've forgotten the test using the 
>>>>>> mail:
>>>>>> #######################
>>>>>> ##
>>>>>>
>>>>>> <whups at localhost> (expanded from <whups@[mydn.tld]>): Command died 
>>>>>> with
>>>>>>     status 255: "/usr/bin/whups-mail-filter -g -a 
>>>>>> carsten@[mydn.tld] -Q
>>>>>>     5". Command output: PHP Warning:
>>>>>> require_once(/var/www/horde/whups/lib/Application.php): failed to 
>>>>>> open
>>>>>>     stream: Permission denied in /usr/bin/whups-mail-filter on 
>>>>>> line 73 PHP
>>>>>>     Fatal error:  require_once(): Failed opening required
>>>>>>     '/var/www/horde/whups/lib/Application.php'
>>>>>>     (include_path='.:/usr/share/php:/usr/share/pear') in
>>>>>>     /usr/bin/whups-mail-filter on line 73
>>>>>>
>>>>>> ##
>>>>>> #######################
>>>>>>
>>>>>> *BöseFlüche*
>>>>>>
>>>>>> What else have I missed?
>>>>>>
>>>>>> br
>>>>>> Carsten
>>>>>
>>>>> I did some more research and found that:
>>>>> "...
>>>>> postfix/main.cf
>>>>> default_privs (default: nobody)
>>>>> The default rights used by the local(8) delivery agent for delivery 
>>>>> to external file or command. These rights are used when delivery is 
>>>>> requested from an aliases(5) file that is owned by root, or when 
>>>>> delivery is done on behalf of root. DO NOT SPECIFY A PRIVILEGED 
>>>>> USER OR THE POSTFIX OWNER.
>>>>> ..."
>>>>>
>>>>> I added two lines to the whups-mail-filter like that:
>>>>> "...
>>>>> <?php
>>>>> $shellex = shell_exec("logger INFO $(whoami)");
>>>>> echo $shellex;
>>>>> ..."
>>>>>
>>>>> Which returned this in the syslog:
>>>>> "..
>>>>> Mar 11 13:25:58 derdapp004 logger: INFO nobody
>>>>> ..."
>>>>>
>>>>> So, we are back to the permissions.
>>>>>
>>>>> 1st: create a new user "postfix-pipe"
>>>>> 2nd: add it to the group "www-horde".
>>>>> 3rd: add "default_privs = postfix-pipe" to the main.cf
>>>>> 4th: do a postmap main.cf and a postfix reload
>>>>> 5th: do a command line check:
>>>>> ##############################
>>>>> ##
>>>>> root at derdapp004 /etc # sudo -u postfix-pipe php -f 
>>>>> /var/www/horde/whups/lib/Application.php
>>>>> root at derdapp004 /etc #
>>>>> ##
>>>>> ##############################
>>>>> => works!
>>>>>
>>>>> 6th: do a mail check:
>>>>> "...
>>>>> Mar 11 13:54:39 derdapp004 logger: INFO postfix-pipe
>>>>> Mar 11 13:54:40 derdapp004 postfix/local[32191]: A2D55415CC: 
>>>>> to=<whups at localhost>, orig_to=<whups@[mydn.tld]>, relay=local, 
>>>>> delay=0.61, delays=0.08/0.04/0/0.5, dsn=5.3.0, status=bounced 
>>>>> (Command died with status 255: "/usr/bin/whups-mail-filter -g -a 
>>>>> carsten@[mydn.tld] -Q 5". Command output: PHP Warning: 
>>>>> require_once(/var/www/horde/whups/lib/Application.php): failed to 
>>>>> open stream: Permission denied in /usr/bin/whups-mail-filter on 
>>>>> line 76 PHP Fatal error: require_once(): Failed opening required 
>>>>> '/var/www/horde/whups/lib/Application.php' 
>>>>> (include_path='.:/usr/share/php:/usr/share/pear') in 
>>>>> /usr/bin/whups-mail-filter on line 76 )
>>>>> ..."
>>>>> => FAILS!!
>>>>>
>>>>> now I am totaly off.......
>>>>
>>>> Did you check the permissions of all parent directories too?
>>>>
>>> I think, I did, but let's walk through:
>>> Toplevel "var" looks ok (other = r and x):
>>> ###
>>> root at derdapp004 ~www # cd /
>>> root at derdapp004 / # ll
>>> [...snip...]
>>> drwxr-xr-x  14 root  root       4096 May  3  2017 var
>>> ###
>>>
>>> Step into /var and check "www".
>>> looks good, too.(other = r and x):
>>> ###
>>> root at derdapp004 / # cd var
>>> root at derdapp004 /var # ll
>>> [...snip...]
>>> drwxr-xr-x  4 root  root  4096 May  6  2017 www
>>> ###
>>>
>>> Now into www to check "horde".
>>> From here we use group permission (www-horde = r and x)
>>> ###
>>> oot at derdapp004 /var # cd www
>>> root at derdapp004 ~www # ll
>>> drwxr-x--- 24 www-data www-horde 4096 Mar  7 11:33 horde
>>> ###
>>>
>>> Next below horde is "whups":
>>> ###
>>> root at derdapp004 ~www # cd horde :(
>>> root at derdapp004 ~www/horde # ll
>>> [...snip...]
>>> drwxr-x--- 13 www-data www-horde  4096 Mar  7 11:33 whups
>>> ###
>>>
>>> Subfolder "lib":
>>> ###
>>> oot at derdapp004 ~www/horde # cd whups
>>> root at derdapp004 ~www/horde/whups # ll
>>> [..snip..]
>>> drwxr-x--- 14 www-data www-horde 4096 Mar  7 11:33 lib
>>> ###
>>>
>>> and last but nor least the file itself:
>>> ###
>>> root at derdapp004 ~www/horde/whups # cd lib
>>> root at derdapp004 ~www/horde/whups/lib # ll
>>> [...snip...]
>>> -rwxr-x--- 1 www-data www-horde  9232 Mar 11 18:55 Application.php
>>> ###
>>>
>>> I do not see any error from that point of view.
>>>
>>> If I do a "chmod -R 777 *" through the horde structure, it works.
>>> I have added the "whoami" lines to the "Application.php" and it 
>>> returns "postfix-pipe" if executed successful.
>>>
>>> I already checked for apparmor and selinux, but last is not active 
>>> and first is only configured for mysql.
>>> The server has been rebooted meanwhile, too, just to make sure the 
>>> new user/group objects are loaded, but no change.
>>> At the moment I am totally out of ideas, and a "777" is not really 
>>> acceptable from my perspective.
>>>
>>> Any idea, how to do a "strace" on whups-mail-filter?!
>>>
>>> br
>>> Carsten
>>
>> strace php whups-mail-filter
>>
> After tricking around, with how to implement this in the alias pipe, I 
> worked out this simple solution:
> 
> "...
> whups:   "|strace -o /tmp/trace.log /usr/bin/whups-mail-filter -g -a 
> carsten@[mydn.tld] -Q 5"
> ..."
> 
> sending a mail to the pipe creates some output including this part:
> 
> ####################
> ###
> [...snip...]
> gettimeofday({1520811096, 605233}, NULL) = 0
> lstat64("/var/www/horde/whups/lib/Application.php", 0xbec64008) = -1 
> EACCES (Permission denied)
> gettimeofday({1520811096, 605766}, NULL) = 0
> lstat64("/var/www/horde/whups/lib/Application.php", 0xbec63f18) = -1 
> EACCES (Permission denied)
> gettimeofday({1520811096, 606180}, NULL) = 0
> lstat64("/var/www/horde/whups/lib/Application.php", 0xbec65fe0) = -1 
> EACCES (Permission denied)
> lstat64("/var/www/horde/whups/lib", 0xbec65ee0) = -1 EACCES (Permission 
> denied)
> lstat64("/var/www/horde/whups", 0xbec65df0) = -1 EACCES (Permission denied)
> lstat64("/var/www/horde", {st_mode=S_IFDIR|0770, st_size=4096, ...}) = 0
> lstat64("/var/www", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
> lstat64("/var", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
> open("/var/www/horde/whups/lib/Application.php", O_RDONLY|O_LARGEFILE) = 
> -1 EACCES (Permission denied)
> [...snip...]
> ###
> ####################
> 
> Well nothing surprising in the first view.
> If I run a simple command line like
> "...
> sudo -u postfix-pipe strace -o /tmp/trace1.log /usr/bin/whups-mail-filter
> ..."
> 
> This is the output:
> 
> ####################
> ###
> [...snip...]
> ettimeofday({1520812051, 622266}, NULL) = 0
> lstat64("/var/www/horde/whups/lib/Application.php", 
> {st_mode=S_IFREG|0770, st_size=9232, ...}) = 0
> lstat64("/var/www/horde/whups/lib", {st_mode=S_IFDIR|0770, st_size=4096, 
> ...}) = 0
> lstat64("/var/www/horde/whups", {st_mode=S_IFDIR|0770, st_size=4096, 
> ...}) = 0
> lstat64("/var/www/horde", {st_mode=S_IFDIR|0770, st_size=4096, ...}) = 0
> lstat64("/var/www", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
> lstat64("/var", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
> gettimeofday({1520812051, 624126}, NULL) = 0
> open("/var/www/horde/whups/lib/Application.php", O_RDONLY|O_LARGEFILE) = 4
> [...snip...]
> ###
> ####################
> 
> Do You see the different values in the lstat64? Where do they come from?
> Somebody more familiar with strace output here?
> 

Are you sure that postfix-pipe is the correct user? As far as I can tell 
"default_privs" only affects local deliveries, not pipe. Try changing to

whups:   "|whoami > /tmp/post-user && strace -o /tmp/trace.log 
/usr/bin/whups-mail-filter -g -a carsten@[mydn.tld] -Q 5"


and then checking the contents of /tmp/post-user .
-------------- next part --------------
A non-text attachment was scrubbed...
Name: boutilpj.vcf
Type: text/x-vcard
Size: 286 bytes
Desc: not available
URL: <https://lists.horde.org/archives/horde/attachments/20180312/6732e1dc/attachment.vcf>


More information about the horde mailing list