procmail 和 python 脚本存在权限问题

Question

So here is my procmalirc. The script seems to run as the "user" of the mailbox so the script CANT create locks or flush or remove messages because the procmail seems to have a lock on the mailbox.

SHELL = /bin/sh
LOGFILE = $HOME/pm.log
LOGABSTRACT = "All"
VERBOSE = "on"


:0
* ^From: .*address.*
* ^Subject:.*su to root.*
{
:0c:
/var/spool/mail/tdproxymail

:0ahi
| /usr/local/tdproxy/MAILSCRIPTS/script.py
}

I'm delivering the mail to the inbox and sending it to the script. When I rrun the python script I loop through the mailbox...looking for the correct email...

mbox = mailbox.mbox('/var/mail/tdproxymail')

for key, msg in mbox.iteritems():
    print(key)
    if "su to root" not in (msg['subject']):
        continue

Everything processes fine but when I get to

mbox.remove(key)
mbox.flush()
mbox.close()

it is saying I don't have permissions on the lock from the procmail I think...

Subject: su to root Folder: /usr/local/tdproxy/MAILSCRIPTS/edwards_sudo.py 812 Traceback (most recent call last): File "/usr/local/tdproxy/MAILSCRIPTS/script.py", line 94, in mbox.lock() File "/usr/lib64/python2.7/mailbox.py", line 625, in lock _lock_file(self._file) File "/usr/lib64/python2.7/mailbox.py", line 1976, in _lock_file pre_lock = _create_temporary(f.name + '.lock') File "/usr/lib64/python2.7/mailbox.py", line 2025, in _create_temporary os.getpid())) File "/usr/lib64/python2.7/mailbox.py", line 2015, in _create_carefully fd = os.open(path, os.O_CREAT | os.O_EXCL | os.O_RDWR, 0666) OSError: [Errno 13] Permission denied: '/var/mail/tdproxymail.lock.1571858501.tdproxy.91248'

I wanted to try to process the email just sys.stdin but I tried both:

#msg = email.message_from_file(sys.stdin)
#msg = email.parser.Parser().parse(sys.stdin)

and it says that is_multipart is false which I know is not the correct case...so in short if I access the mailbox it says there is an attachment but if I use the stdin of the pipe there supposedly is no attachment

QUESTION

How can I process and then delete the email from the mailbox since there seems to be a permissions issue in running the script as the user of the incoming mail.

Answer 1

You have an incorrect filename. /var/mail/tdproxymail.1571851019.tdproxy.81261 is not a file which exists or which you should have any permission to access. Your mbox filename is /var/mail/tdproxymail and individual messages are slices within that file.

(That's how mbox works; other folders have different structures, and in fact 1571851019.tdproxy.81261 looks vaguely like what an individual message file in a maildir folder directory might look like.)

Looping over the entire mailbox looking for the latest message is completely crazy anyway. Accepting the message on standard input is by far the more sensible, robust, and efficient approach, so I would instead explore what you can do to fix that (probably something simple; but also probably best posted as a separate question). If you can't solve that, a better quick and dirty - but still pretty desperate - workaround might be to write the message to an individual temporary file, and pass that to Python.

Just to be explicit, the hypothesis that this is related to mailbox locking seems false. Locking an mbox happens by other means than a lockfile on most architectures (typically flock or fcntl ; but check the output of procmail -v to see what's the compiled-in behavior on your system) - precisely because normal users don't have permission to create new files in the directory where their inbox lives.

Probably the Python mailbox code tries to copy the mbox file to a different location because manipulating it in memory is usually not a good idea (though in this particular case it could perhaps work; but again, really, don't do that). I have not tried that code; but a typical arrangement is for library functions to examine whether os.environ['TMPDIR'] is set and, if so, use that for temporary files.

But in fact, I guess the root cause of your problem is that you added the h flag to the recipe which writes to Python. Of course you don't get a multipart message then; you get no body at all, because you told Procmail to only give the headers to your script.

As an aside, the spaces around the equals signs are syntax errors. Procmail, like the shell, requires assignments to be of the form variable=string or variable="quoted string" with no whitespace on either side of the = character.

# Fix incorrect assignment syntax, no spaces around =
SHELL=/bin/sh
LOGFILE=$HOME/pm.log
LOGABSTRACT="All"
VERBOSE="on"

# Drop the h flag and then also the copying and the a flag
# Also, trailing wildcard is unnecessary in regexes; Procmail matches on any substring
:0i
* ^From: .*address
* ^Subject:.*su to root
| /usr/local/tdproxy/MAILSCRIPTS/script.py

If you desperately want to save the message to a file first, write it to a directory like /tmp/ and capture the file name from Procmail's LASTFOLDER variable. But with the fix to remove the h flag, I trust that will be unnecessary.

(You will still of course need to remove the code to attempt to manipulate the mbox file from Python and just accept the message on standard input.)