Mailing List Archive

Urgent problem with exim, php and apache ("unable to set gid/uid" error)
Hello all,
I recently updated one of my servers - it's now running Ubuntu Linux
14.04.1 server. The exim running is 4.82, the apache calls itself:

> Apache/2.4.10 (Unix) mpm-itk/2.4.7-02 OpenSSL/1.0.1f PHP/5.5.16

My problem is that since the update, I cannot send mail via PHP's mail
function anymore. PHP logs no error, but exim writes

> unable to set gid=1002 or uid=0 (euid=0): forcing real = effective

(1002 is the apache group)

The thing is: ecactly the same PHP script is running fine from the
console even if I log in as the user (and group) of the apache
webserver. It just doesn't work from within apache/php.

What is the problem here? The debug output for the web-based try is
fairly short:

> Exim version 4.82 uid=1308 gid=1002 pid=2701 D=fbb95cfd
> Berkeley DB: Berkeley DB 5.3.28: (September 9, 2013)
> Support for: crypteq iconv() IPv6 GnuTLS move_frozen_messages DKIM
> Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm
> dbmjz dbmnz dnsdb dsearch nis nis0 passwd
> Authenticators: cram_md5 plaintext
> Routers: accept dnslookup ipliteral manualroute queryprogram redirect
> Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
> Fixed never_users: 0
> Size of off_t: 8
> Compiler: GCC [4.8.2]
> Library version: GnuTLS: Compile: 2.12.23
> Runtime: 2.12.23
> Library version: PCRE: Compile: 8.31
> Runtime: 8.31 2012-07-06
> Total 13 lookups
> WHITELIST_D_MACROS: "OUTGOING"
> TRUSTED_CONFIG_LIST: "/etc/exim4/trusted_configs"
> LOG: MAIN PANIC DIE
> unable to set gid=1002 or uid=0 (euid=0): forcing real = effective
> search_tidyup called
> >>>>>>>>>>>>>>>> Exim pid=2701 terminating with rc=1 >>>>>>>>>>>>>>>>

The console-based try (which succeeds) is pages and pages of debug
output, I'll include the line up to the first difference:

> exec /usr/sbin/exim4 -d=0xfbb95cfd -Mc 1XWMlR-0000dk-Aa
> Exim version 4.82 uid=106 gid=113 pid=2466 D=fbb95cfd
> Berkeley DB: Berkeley DB 5.3.28: (September 9, 2013)
> Support for: crypteq iconv() IPv6 GnuTLS move_frozen_messages DKIM
> Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm
> dbmjz dbmnz dnsdb dsearch nis nis0
> passwd
> Authenticators: cram_md5 plaintext
> Routers: accept dnslookup ipliteral manualroute queryprogram redirect
> Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
> Fixed never_users: 0
> Size of off_t: 8
> Compiler: GCC [4.8.2]
> Library version: GnuTLS: Compile: 2.12.23
> Runtime: 2.12.23
> Library version: PCRE: Compile: 8.31
> Runtime: 8.31 2012-07-06
> Total 13 lookups
> WHITELIST_D_MACROS: "OUTGOING"
> TRUSTED_CONFIG_LIST: "/etc/exim4/trusted_configs"
> changed uid/gid: forcing real = effective
> uid=0 gid=113 pid=2466
> auxiliary group list: <none>

uid=0 is of course root, gid=113 is "Debian-exim", the default group for
exim. So, from what I gather, exim tries to become root:Debian-exim, and
succeeds from the console but fails from within apache. Why? The exim4
executable has the properpermissions:

> -rwsr-xr-x 1 root root 983296 Feb 25 2014 /usr/sbin/exim4

Why doesn't this work when exim is called via apache/php? What can I do
to get PHP mail() working again with exim?

Any help is appreciated; I'm banging my head against the wall here.

Greetings
Kasi Mir


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Urgent problem with exim, php and apache ("unable to set gid/uid" error) [ In reply to ]
On Tue, Sep 23, 2014 at 12:20:56PM +0200, Karim 'Kasi Mir' Senoucci wrote:
> Why doesn't this work when exim is called via apache/php? What can I
> do to get PHP mail() working again with exim?

Probably your php script uses "-f" command line option to specify
envelope sender of the mail. If so, you should fill "trusted_users"
and/or "trusted_groups" configuration variables by script name/uid.
--
Eugene Berdnikov

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Urgent problem with exim, php and apache ("unable to set gid/uid" error) [ In reply to ]
Hello Merlin,
Am 23.09.2014 um 12:40 schrieb Merlin Hartley:
> this could be an SELinux feature.
>
> Try running ‘setenforce permissive’ and see if it fixes it…
>
> You could also check /var/log/audit
>
> Just a guess, I’m a CentOS guy really …
>
Thanks for your suggestion - but SELinux is not installed, as far a I
can see. Therefore sestatus and setenforce are unknown, and there is no
/var/log/audit. So I think the permission problem must arise from
somewhere else.

Greetings
Kasi Mir


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Urgent problem with exim, php and apache ("unable to set gid/uid" error) [ In reply to ]
On 23/09/14 11:20, Karim 'Kasi Mir' Senoucci wrote:
>> LOG: MAIN PANIC DIE
>> unable to set gid=1002 or uid=0 (euid=0): forcing real = effective
[...]
> uid=0 is of course root, gid=113 is "Debian-exim", the default group for
> exim. So, from what I gather, exim tries to become root:Debian-exim, and
> succeeds from the console but fails from within apache. Why? The exim4
> executable has the properpermissions:
>
>> -rwsr-xr-x 1 root root 983296 Feb 25 2014 /usr/sbin/exim4
>
> Why doesn't this work when exim is called via apache/php? What can I do
> to get PHP mail() working again with exim?
>
> Any help is appreciated; I'm banging my head against the wall here.

It's the setgid failing; the only documented error is EPERM
(you could check that with strace)

"The calling process is not privileged (does not have the
CAP_SETGID capability)"

Have Deb been playing with this sort of thing? You might
want to ask on a Debian mailing list.
--
Cheers,
Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Urgent problem with exim, php and apache ("unable to set gid/uid" error) [ In reply to ]
Hi everyone,
Am 23.09.2014 um 12:43 schrieb Evgeniy Berdnikov:
> On Tue, Sep 23, 2014 at 12:20:56PM +0200, Karim 'Kasi Mir' Senoucci wrote:
>> Why doesn't this work when exim is called via apache/php? What can I
>> do to get PHP mail() working again with exim?
> Probably your php script uses "-f" command line option to specify
> envelope sender of the mail. If so, you should fill "trusted_users"
> and/or "trusted_groups" configuration variables by script name/uid.

No, that's not it.

My script uses the mail() function from PHP itself, in the php.ini

> $result = mail($email_to, $email_subject, $email_message, $headers);

I have:

> sendmail_path = "/usr/sbin/exim4 -ti"

(for the debug output, it was)

> sendmail_path = "/usr/sbin/exim4 -d -ti 2>>/tmp/exim.log"

There is no "-f" option set anywhere.

Plus, the web user (uid=1308) is included by name in "trusted_users".

Greetings
Kasi Mir


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Urgent problem with exim, php and apache ("unable to set gid/uid" error) [ In reply to ]
Hello again,
Am 23.09.2014 um 12:56 schrieb Jeremy Harris:
>
> It's the setgid failing; the only documented error is EPERM
> (you could check that with strace)
>
> "The calling process is not privileged (does not have the
> CAP_SETGID capability)"
>
> Have Deb been playing with this sort of thing? You might
> want to ask on a Debian mailing list.

The apache and php are self-compiled from source (and not the debian
sources, but from apache.org and php.net). I don't even know how I could
have removed the cap_setgid capability from apache and/or mod_php. What
should I look for?

Greetings
Kasi Mir


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Urgent problem with exim, php and apache ("unable to set gid/uid" error) [ In reply to ]
Hello all,
Am 23.09.2014 um 13:26 schrieb Karim 'Kasi Mir' Senoucci:
> Hello again,
> Am 23.09.2014 um 12:56 schrieb Jeremy Harris:
>>
>> It's the setgid failing; the only documented error is EPERM
>> (you could check that with strace)
>>
>> "The calling process is not privileged (does not have the
>> CAP_SETGID capability)"
>>
>> Have Deb been playing with this sort of thing? You might
>> want to ask on a Debian mailing list.
>
> The apache and php are self-compiled from source (and not the debian
> sources, but from apache.org and php.net). I don't even know how I
> could have removed the cap_setgid capability from apache and/or
> mod_php. What should I look for?
>

Thanks a lot for the tip with the setgid - it turns out it was a setting
in the mpm-itk module of apache which by default prevented the group
change. After explicity setting the parameter in question
(LimitGIDRange), it started working again as on the old server.

Greetings
Kasi Mir



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Urgent problem with exim, php and apache ("unable to set gid/uid" error) [ In reply to ]
On Tue, Sep 23, 2014 at 01:18:03PM +0200, Karim 'Kasi Mir' Senoucci wrote:
> Am 23.09.2014 um 12:43 schrieb Evgeniy Berdnikov:
> >On Tue, Sep 23, 2014 at 12:20:56PM +0200, Karim 'Kasi Mir' Senoucci wrote:
> >>Why doesn't this work when exim is called via apache/php? What can I
> >>do to get PHP mail() working again with exim?
> > Probably your php script uses "-f" command line option to specify
> > envelope sender of the mail. If so, you should fill "trusted_users"
> > and/or "trusted_groups" configuration variables by script name/uid.
>
> No, that's not it.

[...]

> (for the debug output, it was)
>
> >sendmail_path = "/usr/sbin/exim4 -d -ti 2>>/tmp/exim.log"

I suggest to look into uid/gid values.
Substitute your sendmail_path by path of this script:

#/bin/sh
log=/tmp/exim.log
ps -p $$ -o pid,ppid,uid,euid,ruid,suid,gid,egid,rgid,sgid,pgrp >$log
exec /usr/sbin/exim4 -d -ti "$@" 2>>$log

Let see the difference when run from console.
--
Eugene Berdnikov

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Urgent problem with exim, php and apache ("unable to set gid/uid" error) [ In reply to ]
I email manually and automatically from web pages using Apache and Exim.
I never have problems.

In a web page's PHP:-

> $headers = 'From: '.$from."\n".
> 'Disposition-Notification-To: ack@xxxx.com'."\n".
> 'Return-Receipt-To: ack@xxxx.com'."\n".
> 'Bcc: ack@xxxx.com'."\n".
> 'Content-Type: text/plain; charset=ISO-8859-1'."\n";

> mail($to,$subj,$mess,$headers,'-f sender@domain.com);

In Exim:-

> trusted_users = apache

Hope this helps.


--
Regards,

Paul.
England, EU.




--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/