Bug 1877308 - gpg-agent started for exim mailserver
Summary: gpg-agent started for exim mailserver
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora
Classification: Fedora
Component: exim
Version: 32
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: David Woodhouse
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-09-09 10:55 UTC by customercare
Modified: 2023-09-15 00:47 UTC (History)
17 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2021-05-25 17:48:10 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description customercare 2020-09-09 10:55:10 UTC 
Description of problem:

spontaneous today spawned a gpg-agent process for the exim mailserver 4.94

The system running for 100 days, getting updated every 2h, but in the time of the event 9.9.2020 9:39 AM CEST, no updates to the server are logged nor any unusually activity in exim.

It's completely unnecessary for a server process to have a running gpg-agent. 

This events got logged :

EXIM LOG:

2020-09-09 09:38:01 1kFug5-00GavR-GP <= root.de U=root P=local S=934
2020-09-09 09:38:01 1kFug5-00GavR-GP => :blackhole: <root.de> R=userforward
2020-09-09 09:38:01 1kFug5-00GavR-GP Completed
2020-09-09 09:39:01 1kFuh3-00Gazf-OO <= root.de U=root P=local S=5850
2020-09-09 09:39:01 1kFuh3-00GazK-Q6 <= root.de U=root P=local S=934
2020-09-09 09:39:01 1kFuh3-00GazK-Q6 => :blackhole: <root.de> R=userforward
2020-09-09 09:39:01 1kFuh3-00GazK-Q6 Completed

SYSLOG:

Sep  9 09:38:17 HOSTNAME su[3955281]: (to exim) root on none
Sep  9 09:38:17 HOSTNAME systemd[1]: Created slice User Slice of UID 93.
Sep  9 09:38:17 HOSTNAME systemd[1]: Starting User Runtime Directory /run/user/93...
Sep  9 09:38:17 HOSTNAME systemd[1]: Started User Runtime Directory /run/user/93.
Sep  9 09:38:17 HOSTNAME systemd[1]: Starting User Manager for UID 93...
Sep  9 09:38:17 HOSTNAME systemd[3955286]: Condition check resulted in Mark boot as successful after the user session has run 2 minutes being skipped.
Sep  9 09:38:17 HOSTNAME systemd[3955286]: Reached target Paths.
Sep  9 09:38:17 HOSTNAME systemd[3955286]: Reached target Timers.
Sep  9 09:38:17 HOSTNAME systemd[3955286]: Starting D-Bus User Message Bus Socket.
Sep  9 09:38:17 HOSTNAME systemd[3955286]: Listening on D-Bus User Message Bus Socket.
Sep  9 09:38:17 HOSTNAME systemd[3955286]: Reached target Sockets.
Sep  9 09:38:17 HOSTNAME systemd[3955286]: Reached target Basic System.
Sep  9 09:38:17 HOSTNAME systemd[3955286]: Reached target Main User Target.
Sep  9 09:38:17 HOSTNAME systemd[3955286]: Startup finished in 95ms.
Sep  9 09:38:17 HOSTNAME systemd[1]: Started User Manager for UID 93.
Sep  9 09:38:17 HOSTNAME systemd[1]: Started Session c177 of user exim.
Sep  9 09:38:18 HOSTNAME systemd[1]: session-c177.scope: Succeeded.
Sep  9 09:38:18 HOSTNAME su[3955299]: (to exim) root on none
Sep  9 09:38:18 HOSTNAME systemd[1]: Started Session c178 of user exim.
Sep  9 09:38:18 HOSTNAME su[3955312]: (to exim) root on none
Sep  9 09:38:18 HOSTNAME systemd[1]: Started Session c179 of user exim.
Sep  9 09:38:18 HOSTNAME systemd[1]: session-c179.scope: Succeeded.
Sep  9 09:38:18 HOSTNAME su[3955321]: (to exim) root on none
Sep  9 09:38:18 HOSTNAME systemd[1]: Started Session c180 of user exim.
Sep  9 09:38:18 HOSTNAME systemd[1]: session-c180.scope: Succeeded.
Sep  9 09:38:18 HOSTNAME su[3955331]: (to exim) root on none
Sep  9 09:38:18 HOSTNAME systemd[1]: Started Session c181 of user exim.
Sep  9 09:38:18 HOSTNAME systemd[1]: session-c181.scope: Succeeded.

and right after it, the IDS found it: 

Prozekontrolle: Mi 9. Sep 09:39:01 CEST 2020

1. prozess=3955307 name=gpg-agent username=exim   ###ERROR###


[root@HOSTNAME ~]# ps auxf|grep gpg
exim     3955307  0.0  0.0 365012  1152 ?        Ss   09:38   0:00 gpg-agent --homedir /var/spool/exim/.gnupg --use-standard-socket --daemon


[root@HOSTNAME .gnupg]# netstat -lnapW | grep 3955307
unix  2      [ ACC ]     STREAM     HÖRT         587410943 3955307/gpg-agent    /run/user/93/gnupg/S.gpg-agent.extra
unix  2      [ ACC ]     STREAM     HÖRT         587410945 3955307/gpg-agent    /run/user/93/gnupg/S.gpg-agent.browser
unix  2      [ ACC ]     STREAM     HÖRT         587410947 3955307/gpg-agent    /run/user/93/gnupg/S.gpg-agent.ssh
unix  2      [ ACC ]     STREAM     HÖRT         587410941 3955307/gpg-agent    /run/user/93/gnupg/S.gpg-agent

The last gpg update was in MAY 2020 and the system had no updates of any relevant part in days :

2020-09-08T05:12:51Z INFO --- logging initialized ---
2020-09-08T06:01:06Z INFO --- logging initialized ---
2020-09-08T06:01:08Z INFO --- logging initialized ---
2020-09-08T06:13:00Z INFO --- logging initialized ---
2020-09-08T07:13:32Z INFO --- logging initialized ---
2020-09-08T08:01:07Z INFO --- logging initialized ---
2020-09-08T08:01:09Z INFO --- logging initialized ---
2020-09-08T08:13:41Z INFO --- logging initialized ---
2020-09-08T09:14:01Z INFO --- logging initialized ---
2020-09-08T10:01:06Z INFO --- logging initialized ---
2020-09-08T10:01:08Z INFO --- logging initialized ---
2020-09-08T10:14:41Z INFO --- logging initialized ---
2020-09-08T11:15:05Z INFO --- logging initialized ---
2020-09-08T12:01:06Z INFO --- logging initialized ---
2020-09-08T12:01:08Z INFO --- logging initialized ---
2020-09-08T12:15:12Z INFO --- logging initialized ---
2020-09-08T13:15:42Z INFO --- logging initialized ---
2020-09-08T14:01:58Z INFO --- logging initialized ---
2020-09-08T14:02:18Z INFO --- logging initialized ---
2020-09-08T14:16:02Z INFO --- logging initialized ---
2020-09-08T15:16:07Z INFO --- logging initialized ---
2020-09-08T16:01:07Z INFO --- logging initialized ---
2020-09-08T16:01:09Z INFO --- logging initialized ---
2020-09-08T16:16:41Z INFO --- logging initialized ---
2020-09-08T17:16:48Z INFO --- logging initialized ---
2020-09-08T18:01:06Z INFO --- logging initialized ---
2020-09-08T18:01:08Z INFO --- logging initialized ---
2020-09-08T18:16:56Z INFO --- logging initialized ---
2020-09-08T19:17:09Z INFO --- logging initialized ---
2020-09-08T20:01:06Z INFO --- logging initialized ---
2020-09-08T20:01:07Z INFO --- logging initialized ---
2020-09-08T20:01:41Z SUBDEBUG Upgrade: libcap-ng-0.7.11-1.fc31.x86_64
2020-09-08T20:01:42Z SUBDEBUG Upgraded: libcap-ng-0.7.10-1.fc31.x86_64
2020-09-08T20:17:24Z INFO --- logging initialized ---
2020-09-08T21:17:44Z INFO --- logging initialized ---
2020-09-08T22:01:08Z INFO --- logging initialized ---
2020-09-08T22:01:15Z INFO --- logging initialized ---
2020-09-08T22:17:59Z INFO --- logging initialized ---
2020-09-08T23:18:04Z INFO --- logging initialized ---
2020-09-09T00:01:45Z INFO --- logging initialized ---
2020-09-09T00:02:00Z INFO --- logging initialized ---
2020-09-09T00:18:32Z INFO --- logging initialized ---
2020-09-09T01:18:55Z INFO --- logging initialized ---
2020-09-09T02:01:11Z INFO --- logging initialized ---
2020-09-09T02:01:14Z INFO --- logging initialized ---
2020-09-09T02:19:01Z INFO --- logging initialized ---
2020-09-09T03:19:30Z INFO --- logging initialized ---
2020-09-09T04:01:06Z INFO --- logging initialized ---
2020-09-09T04:01:08Z INFO --- logging initialized ---
2020-09-09T04:19:41Z INFO --- logging initialized ---
2020-09-09T05:19:48Z INFO --- logging initialized ---
2020-09-09T06:01:05Z INFO --- logging initialized ---
2020-09-09T06:01:07Z INFO --- logging initialized ---
2020-09-09T06:19:53Z INFO --- logging initialized ---
2020-09-09T07:20:05Z INFO --- logging initialized ---
2020-09-09T08:01:07Z INFO --- logging initialized ---
2020-09-09T08:01:08Z INFO --- logging initialized ---
2020-09-09T08:20:11Z INFO --- logging initialized ---
2020-09-09T09:20:14Z INFO --- logging initialized ---
2020-09-09T10:01:07Z INFO --- logging initialized ---
2020-09-09T10:01:09Z INFO --- logging initialized ---
2020-09-09T10:20:41Z INFO --- logging initialized ---

so it is a complete mystery why this process got started at all. 

I request to change the systemd config, to not start gpg for exim, httpd, proftpd, mariadb or any other pure non user app .
Comment 1 customercare 2020-09-25 18:14:19 UTC 
It happend again:

Sep 25 19:48:37 servername su[829912]: (to exim) root on none
Sep 25 19:48:37 servername systemd[1]: Created slice User Slice of UID 93.
Sep 25 19:48:37 servername systemd[1]: Starting User Runtime Directory /run/user/93...
Sep 25 19:48:37 servername systemd[1]: Started User Runtime Directory /run/user/93.
Sep 25 19:48:37 servername systemd[1]: Starting User Manager for UID 93...
Sep 25 19:48:37 servername systemd[829917]: Condition check resulted in Mark boot as successful after the user session has run 2 minutes being skipped.
Sep 25 19:48:37 servername systemd[829917]: Reached target Paths.
Sep 25 19:48:37 servername systemd[829917]: Reached target Timers.
Sep 25 19:48:37 servername systemd[829917]: Starting D-Bus User Message Bus Socket.
Sep 25 19:48:37 servername systemd[829917]: Listening on D-Bus User Message Bus Socket.
Sep 25 19:48:37 servername systemd[829917]: Reached target Sockets.
Sep 25 19:48:37 servername systemd[829917]: Reached target Basic System.
Sep 25 19:48:37 servername systemd[1]: Started User Manager for UID 93.
Sep 25 19:48:37 servername systemd[1]: Started Session c89 of user exim.
Sep 25 19:48:37 servername systemd[829917]: Reached target Main User Target.
Sep 25 19:48:37 servername systemd[829917]: Startup finished in 106ms.
Sep 25 19:48:38 servername systemd[1]: session-c89.scope: Succeeded.
Sep 25 19:48:38 servername su[829936]: (to exim) root on none
Sep 25 19:48:38 servername systemd[1]: Started Session c90 of user exim.
Sep 25 19:48:38 servername su[829949]: (to exim) root on none
Sep 25 19:48:38 servername systemd[1]: Started Session c91 of user exim.
Sep 25 19:48:38 servername systemd[1]: session-c91.scope: Succeeded.
Sep 25 19:48:38 servername su[829958]: (to exim) root on none
Sep 25 19:48:38 servername systemd[1]: Started Session c92 of user exim.
Sep 25 19:48:38 servername systemd[1]: session-c92.scope: Succeeded.
Sep 25 19:48:38 servername su[829967]: (to exim) root on none
Sep 25 19:48:38 servername systemd[1]: Started Session c93 of user exim.
Sep 25 19:48:38 servername systemd[1]: session-c93.scope: Succeeded.
Prozekontrolle: Fr 25. Sep 19:49:01 CEST 2020

1. prozess=829944 name=gpg-agent username=exim   ###ERROR###
:



/var/log/security has this to say:


Sep 25 19:48:37 servername systemd[829917]: pam_unix(systemd-user:session): session opened for user exim by (uid=0)
Sep 25 19:48:37 servername su[829912]: pam_unix(su:session): session opened for user exim by (uid=0)
Sep 25 19:48:38 servername su[829912]: pam_unix(su:session): session closed for user exim
Sep 25 19:48:38 servername su[829936]: pam_unix(su:session): session opened for user exim by (uid=0)
Sep 25 19:48:38 servername su[829936]: pam_unix(su:session): session closed for user exim
Sep 25 19:48:38 servername su[829949]: pam_unix(su:session): session opened for user exim by (uid=0)
Sep 25 19:48:38 servername su[829949]: pam_unix(su:session): session closed for user exim
Sep 25 19:48:38 servername su[829958]: pam_unix(su:session): session opened for user exim by (uid=0)
Sep 25 19:48:38 servername su[829958]: pam_unix(su:session): session closed for user exim
Sep 25 19:48:38 servername su[829967]: pam_unix(su:session): session opened for user exim by (uid=0)
Sep 25 19:48:38 servername su[829967]: pam_unix(su:session): session closed for user exim
Comment 2 Ben Cotton 2020-11-03 17:10:59 UTC 
This message is a reminder that Fedora 31 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 31 on 2020-11-24.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '31'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 31 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 3 customercare 2021-02-03 08:13:38 UTC 
out of the sudden...


Feb  3 08:06:06 s113 systemd[1]: Created slice User Slice of UID 93.

uid=93(exim) gid=93(exim) Gruppen=93(exim),12(mail),176(ats)

exim     1078872  0.0  0.0 365096  1256 ?        Ss   08:06   0:00 gpg-agent --homedir /var/spool/exim/.gnupg --use-standard-socket --daemon
Comment 4 Fedora Program Management 2021-04-29 17:06:10 UTC 
This message is a reminder that Fedora 32 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 32 on 2021-05-25.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '32'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 32 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 5 Zbigniew Jędrzejewski-Szmek 2021-05-18 15:35:02 UTC 
> Component: exim → systemd

Why did you assign this to systemd? There is something in the exim service stack which
causes it to (I'm guessing here), start a pam session and trigger other services...
This needs to be figured out from the exim side. I don't know anything about exim is
configured in Fedora.
Comment 6 customercare 2021-05-19 08:38:22 UTC 
Because exim did not start the gpg-agent.

We are talking about a mailserver running exim for 100 days without restart and then, without any incoming/outgoing email,
it shall start a gpg-agent which it does not need? 

According to the logs, it's clearly systemd which starts a normal usersession for a system account, which is not meant to have one, and thats the bug we are talking about.

If exim would need a gpg-agent, it would be started before exim, the agent-pids would be exported to be used by exim and underlying gpg usages.
In the scenario of this bugreport, gpg-agent have been side-started without any use to exim itself, as it does not know about it.

I repeat my inital request:

Systemd, do not start usersessions for non-user-accounts.
Comment 7 Zbigniew Jędrzejewski-Szmek 2021-05-19 10:26:29 UTC 
> According to the logs, it's clearly systemd which starts a normal usersession for a system account, which is not meant to have one, and thats the bug we are talking about.

Yes, that seems to be the important part. The question is why is systemd starting a user session
for exim4? Something told it to start it, and that is the real bug. My guess would be that 
exim4 somehow uses 'su' to switch users, and this pulls in the pam stack, which instructs systemd
to start the user session. But this is just a wild guess, since I don't know anything about how
exim4 does things. As I said, this needs to be looked at by somebody who understand the exim4 setup.

You can probably do 'systemctl mask user@<uid of exim4>' to prevent the user session from starting.
But this is just an ugly work-around.
Comment 8 customercare 2021-05-19 10:47:25 UTC 
It's a server, i don't care if it's ugly from a desktop perspective :)

I will try it out. Still, the real question is, what is the real trigger of it. Maybe a cron? but those crons would run daily or even hourly, and those starts seem to be happen at random.

I talked to Heiko S. from the exim dev team and he has no clue why exim would give systemd a hint to start that usersession, in special, months after the initial start of the master process and no internal or external activity.
Comment 9 Ben Cotton 2021-05-25 17:48:10 UTC 
Fedora 32 changed to end-of-life (EOL) status on 2021-05-25. Fedora 32 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.
Comment 10 Red Hat Bugzilla 2023-09-15 00:47:44 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days
Note You need to log in before you can comment on or make changes to this bug.