alias 'feed to program': permission denied

Hello!

I’m having a problem figuring out how to get the ‘feed to program’ option working for one user’s aliases. The problem seems to be that the script is in the user’s home directory, which isn’t readable by postfix.

Postfix can, of course, access the Maildirs. I assume this is because it changes the uid when a user logs in or when it delivers mail, which make some sense.

However, the ‘feed to program’ option doesn’t seem to take advantage of this.

Would someone be willing to educate me on what I need to do? Here’s my setup:

alias: devbot@sitename.com -> ‘Feed to script’ -> /home/users/jsmith/domains/sitename.com/includes/scriptname.php

[code:1]
[jsmith@server ~]$ pwd
/home/users/jsmith
[jsmith@server ~]$ ls -lad
drwxr-x— 21 jsmith jsmith 4096 Aug 14 08:54 .
[jsmith@server ~]$ cd domains/
[jsmith@server domains]$ ls -lad
drwxr-xr-x 10 jsmith jsmith 4096 Aug 8 21:54 .
[jsmith@server domains]$ cd sitename.com/
[jsmith@server sitename.com]$ ls -lad
drwxr-x— 12 jsmith jsmith 4096 Aug 14 00:03 .
[jsmith@server sitename.com]$ cd includes/
[jsmith@server includes]$ ls -la scriptname.php
-rwxr-xr-x 1 jsmith jsmith 4269 Aug 14 08:59 scriptname.php
[jsmith@server includes]$
[/code:1]<br><br>Post edited by: kato, at: 2008/08/14 08:27

C’mon, gimme some love! :slight_smile:

Here’s what I see in the logs:

[code:1]
Aug 15 09:45:48 server local[26556]: fatal: execvp /home/users/jsmith/domains/jsmith.com/includes/egate_helpdesk.php: Permission denied
Aug 15 09:45:49 server postfix/local[26521]: E8562D00ED: to=<devbot-jsmith.com@server.zenovations.com>, orig_to=<devbot@jsmith.com>, relay=local, delay=2, status=bounced (Command died with status 1: "/home/users/jsmith/domains/jsmith.com/includes/egate_helpdesk.php". Command output: local: fatal: execvp /home/users/jsmith/domains/jsmith.com/includes/egate_helpdesk.php: Permission denied )
[/code:1]

Anyone want to help me figure out how to make scripts run in the user’s home directory?

Yeah, it looks like that’s being executed from within Postfix, and perhaps before being passed off to procmail.

So two thoughts.

One, you could use a procmail rule to execute it rather than using the Postfix alias – which should execute as that user.

Second, and a bit less secure, you could make all the directories between /home/users/jsmith and /home/users/jsmith/domains/jsmith.com/includes/ world executable, which all allow processes to traverse your directory structure.

You can make a directory world executable by typing: chmod o+x /path/to/dir

The problem there is that anyone can now get there, not just Postfix. That said, since it’s just executable and not readable, someone typing “ls” won’t see anything.

So, procmail is the safer and more secure option. Changing the permissions may be the easier one :slight_smile:
-Eric

Hi Eric

Thanks! So procmail…

I looked over the procmail options in webmin and decided this is beyond my skill. I’ll have a looksee at what Google can teach me. Would you be willing to help me get off on the right foot?

I presume this is what I’m looking for:
[ol]
[li]tell Postfix to deliver normally (to a Maildir?)[/li]
[li]switch over to webmin and go to Procmail server[/li]
[li]enter some voodoo magic in “Create Action”… maybe a regexp that searches for From: devbot@jsmith.com?[/li]
[/ol]

Any tips on what I’m trying to do here? Check “Action program is a filter”? “Feed headers/body to destination?”

Hi Kato,

Sorry, I haven’t had a chance to go through and get a handle on how the procmail building works within Webmin/Usermin. So I’m just sort of thinking out loud here :slight_smile:

Yes, in theory, what you’re saying above is correct… given a particular user, you’d want to make a regexp that looks for a given From address.

Also, I’m pretty sure you can give users rights to do this from within Usermin, rather than going into the Procmail server section of Webmin. Once you log into Virtualmin, click Webmin -> Usermin Configuration -> Available Modules, then make sure “Procmail Mail Filter” is there. If you want to limit who can acccess Procmail, you can use the “Module Restrictions” section for that.

In the end, once you configure things the way you need, it would end up adding something like this to the procmail file:

[code:1]
:0:

  • From:.*devbot@jsmith.com
    | /home/users/jsmith/domains/jsmith.com/includes/egate_helpdesk.php
    [/code:1]

I hope that helps in getting your started! :slight_smile:
-Eric

Awesome, thanks.

I think I’ll add that to the procmail file, then log into virtualmin and see what shows up :slight_smile: