From: Phil Pennock Date: Sat, 5 Jun 2010 10:04:43 +0000 (+0000) Subject: Add permit_coredump pipe transport option. Fixes: #834 X-Git-Tag: exim-4_73_RC0~54 X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/a29e5231ac02b045d8fdd5610abac3c38131366f Add permit_coredump pipe transport option. Fixes: #834 --- diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 493c55445..2a69fcf59 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -1,4 +1,4 @@ -. $Cambridge: exim/doc/doc-docbook/spec.xfpt,v 1.75 2010/06/05 09:10:08 pdp Exp $ +. $Cambridge: exim/doc/doc-docbook/spec.xfpt,v 1.76 2010/06/05 10:04:43 pdp Exp $ . . ///////////////////////////////////////////////////////////////////////////// . This is the primary source of the Exim Manual. It is an xfpt document that is @@ -21075,6 +21075,17 @@ sought in the PATH directories, in the usual way. &*Warning*&: This does not apply to a command specified as a transport filter. +.option permit_coredump pipe boolean false +Normally Exim inhibits core-dumps during delivery. If you have a need to get +a core-dump of a pipe command, enable this command. This enables core-dumps +during delivery and affects both the Exim binary and the pipe command run. +It is recommended that this option remain off unless and until you have a need +for it and that this only be enabled when needed, as the risk of excessive +resource consumption can be quite high. Note also that Exim is typically +installed as a setuid binary and most operating systems will inhibit coredumps +of these by default, so further OS-specific action may be required. + + .option pipe_as_creator pipe boolean false .cindex "uid (user id)" "local delivery" If the generic &%user%& option is not set and this option is true, the delivery diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 3ed3aa8c7..72f799a36 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -1,4 +1,4 @@ -$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.617 2010/06/05 09:10:09 pdp Exp $ +$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.618 2010/06/05 10:04:43 pdp Exp $ Change log file for Exim from version 4.21 ------------------------------------------- @@ -16,6 +16,10 @@ JJ/01 Added DISABLE_DKIM and comment to src/EDITME PP/03 Bugzilla 994: added openssl_options main configuration option. +PP/04 Bugzilla 995: provide better SSL diagnostics on failed reads. + +PP/05 Bugzilla 834: provide a permit_codedump option for pipe transports. + Exim version 4.72 ----------------- diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index 589bc5397..c2c49379f 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -1,4 +1,4 @@ -$Cambridge: exim/doc/doc-txt/NewStuff,v 1.166 2010/06/05 09:10:09 pdp Exp $ +$Cambridge: exim/doc/doc-txt/NewStuff,v 1.167 2010/06/05 10:04:43 pdp Exp $ New Features in Exim -------------------- @@ -20,6 +20,12 @@ Version 4.73 consequences for certain options, so these should not be changed frivolously. + 2. A new pipe transport option, "permit_coredumps", may help with problem + diagnosis in some scenarios. Note that Exim is typically installed as + a setuid binary, which on most OSes will inhibit coredumps by default, + so that safety mechanism would have to be overriden for this option to + be able to take effect. + Version 4.72 ------------ diff --git a/src/src/deliver.c b/src/src/deliver.c index 1e1f5a528..941fec043 100644 --- a/src/src/deliver.c +++ b/src/src/deliver.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/deliver.c,v 1.47 2009/11/16 19:50:36 nm4 Exp $ */ +/* $Cambridge: exim/src/src/deliver.c,v 1.48 2010/06/05 10:04:44 pdp Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -1727,7 +1727,20 @@ if ((pid = fork()) == 0) HP-UX doesn't have RLIMIT_CORE; I don't know how to do this in that system. Some experimental/developing systems (e.g. GNU/Hurd) may define RLIMIT_CORE but not support it in setrlimit(). For such systems, do not - complain if the error is "not supported". */ + complain if the error is "not supported". + + There are two scenarios where changing the max limit has an effect. In one, + the user is using a .forward and invoking a command of their choice via pipe; + for these, we do need the max limit to be 0 unless the admin chooses to + permit an increased limit. In the other, the command is invoked directly by + the transport and is under administrator control, thus being able to raise + the limit aids in debugging. So there's no general always-right answer. + + Thus we inhibit core-dumps completely but let individual transports, while + still root, re-raise the limits back up to aid debugging. We make the + default be no core-dumps -- few enough people can use core dumps in + diagnosis that it's reasonable to make them something that has to be explicitly requested. + */ #ifdef RLIMIT_CORE struct rlimit rl; diff --git a/src/src/transports/pipe.c b/src/src/transports/pipe.c index 35048258e..2464abd14 100644 --- a/src/src/transports/pipe.c +++ b/src/src/transports/pipe.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/transports/pipe.c,v 1.14 2009/11/16 19:50:39 nm4 Exp $ */ +/* $Cambridge: exim/src/src/transports/pipe.c,v 1.15 2010/06/05 10:04:44 pdp Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -57,6 +57,8 @@ optionlist pipe_transport_options[] = { (void *)offsetof(pipe_transport_options_block, message_suffix) }, { "path", opt_stringptr, (void *)offsetof(pipe_transport_options_block, path) }, + { "permit_coredump", opt_bool, + (void *)offsetof(pipe_transport_options_block, permit_coredump) }, { "pipe_as_creator", opt_bool | opt_public, (void *)offsetof(transport_instance, deliver_as_creator) }, { "restrict_to_path", opt_bool, @@ -110,6 +112,7 @@ pipe_transport_options_block pipe_transport_option_defaults = { 0, /* options */ FALSE, /* freeze_exec_fail */ FALSE, /* ignore_status */ + FALSE, /* permit_coredump */ FALSE, /* restrict_to_path */ FALSE, /* timeout_defer */ FALSE, /* use_shell */ @@ -127,7 +130,7 @@ pipe_transport_options_block pipe_transport_option_defaults = { /* Called for each delivery in the privileged state, just before the uid/gid are changed and the main entry point is called. In a system that supports the login_cap facilities, this function is used to set the class resource limits -for the user. +for the user. It may also re-enable coredumps. Arguments: tblock points to the transport instance @@ -170,6 +173,24 @@ if (ob->use_classresources) } #endif +#ifdef RLIMIT_CORE +if (ob->permit_coredump) + { + struct rlimit rl; + rl.rlim_cur = RLIM_INFINITY; + rl.rlim_max = RLIM_INFINITY; + if (setrlimit(RLIMIT_CORE, &rl) < 0) + { +#ifdef SETRLIMIT_NOT_SUPPORTED + if (errno != ENOSYS && errno != ENOTSUP) +#endif + log_write(0, LOG_MAIN, + "delivery setrlimit(RLIMIT_CORE, RLIMI_INFINITY) failed: %s", + strerror(errno)); + } + } +#endif + return OK; } diff --git a/src/src/transports/pipe.h b/src/src/transports/pipe.h index cdb10af7d..da141c0d1 100644 --- a/src/src/transports/pipe.h +++ b/src/src/transports/pipe.h @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/transports/pipe.h,v 1.7 2009/11/16 19:56:54 nm4 Exp $ */ +/* $Cambridge: exim/src/src/transports/pipe.h,v 1.8 2010/06/05 10:04:44 pdp Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -25,6 +25,7 @@ typedef struct { int options; BOOL freeze_exec_fail; BOOL ignore_status; + BOOL permit_coredump; BOOL restrict_to_path; BOOL timeout_defer; BOOL use_shell;