Date: Wed, 17 Apr 2002 09:06:44 +1000 From: "Robert" <robert@chalmers.com.au> To: "Jorge Biquez" <jbiquez@icsmx.com> Cc: "freebsd-stable" <freebsd-stable@FreeBSD.ORG> Subject: Re: sendmail and majordomo problem ??? Message-ID: <039301c1e59b$6809d150$1a6001cb@chalmers.com.au> References: <5.1.0.14.2.20020416113514.01f4d1c0@icsmx.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I think the key to it all may be here. Setting trusted users seems to no
make a difference. at least here.
............................................................................
...........
Sendmail is no longer installed set-user-ID to root. sendmail/SECURITY
explains how to
configure and install sendmail without set-user-ID to root but set-group-ID
which is the default
configuration starting with 8.12.
..................................................................
4.7. File Modes
The modes used for files depend on what functionality you want and the level
of security you
require. In many cases sendmail does careful checking of the modes of files
and directories to avoid
accidental compromise; if you want to make it possible to have
group-writable support files you
may need to use the DontBlameSendmail option to turn off some of these
checks.
4.7.1. To suid or not to suid?
Sendmail is no longer installed set-user-ID to root. sendmail/SECURITY
explains how to
configure and install sendmail without set-user-ID to root but set-group-ID
which is the default
configuration starting with 8.12.
The daemon usually runs as root, unless other measures are taken. At the
point where
sendmail is about to exec (2) a mailer,it checks to see if the userid is
zero (root); if so, it resets
the userid and groupid to a default (set by the U= equate in the mailer
line; if that is not set, the
DefaultUser option is used). This can be overridden by setting the S flag to
the mailer for mail-ers
that are trusted and must be called as root. However, this will cause mail
processing to be
accounted (using sa (8)) to root rather than to the user sending the mail.
A middle ground is to set the RunAsUser option. This causes sendmail to
become the
indicated user as soon as it has done the startup that requires root
privileges (primarily,opening
the SMTP socket). If you use RunAsUser,the queue directory (normally
/var/spool/mqueue)
should be owned by that user,and all files and databases (including user
.forward files, alias
files, :include: files, and external databases) must be readable by that
user.Also, since sendmail
will not be able to change it's uid, delivery to programs or files will be
marked as unsafe, e.g.,
undeliverable, in .forward,aliases, and :include: files. Administrators can
override this by set-ting
the DontBlameSendmail option to the setting NonRootSafeAddr. RunAsUser is
proba-bly
best suited for firewall configurations that don't have regular user logins.
> Hello
>
> I have the same problem. After CVSUP a 4.4. STABLE to 4.5 STABLE machine
> the problems appears. It was working perfectly befro. Seems like the
> problem is the new groups created in the installation of Sendmail. I'm
> working on this also.
>
> JB
>
> At 16:07 16/04/02 +1000, you wrote:
> >So. It gives an 126 error. A look on the box tells me that it could be a
> >permission thing .
> >The lats one on this list is a serreuid thing - and it's wrapper that's
> >failing I think.
> >....................................................
> >Message delivered to mailing list <test-l@chalmers.com.au.procmail>
> >/usr/local/majordomo/wrapper: permission denied
> >554 5.3.0 unknown mailer error 126
> >...................................................
> >
> ># grep 126 *
> >filio.h:#define FIONBIO _IOW('f', 126, int) /* set/clear
> >non-blocking i/o */
> >ioctl_compat.h:#define TIOCLBIC _IOW('t', 126, int) /* bic
local
> >mode bits */
> >syscall.h:#define SYS_setreuid 126
> >#
> >
> >David - your's is working. Would you be kind enough to take a moment to
> >check your permissions for me on sendmail and majordomo's files, and
wrapper
> >?
> >Do you still use mailwrapper, or not as well?
> >
> >I'd say I have something out of wack here
> >
> >Thanks a lot folks,
> >
> >cheers
> >Robert
> >
> >---
> >Quantum Radio: World Music with a difference.
> >http://quantum-radio.net/
> >Now Playing: Miles Davis - Time After Time
> >
> >
> >
> >
> >To Unsubscribe: send mail to majordomo@FreeBSD.org
> >with "unsubscribe freebsd-stable" in the body of the message
>
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?039301c1e59b$6809d150$1a6001cb>