Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 12 Apr 2012 09:51:09 +0200
From:      Polytropon <freebsd@edvax.de>
To:        Matthew Seaman <matthew@freebsd.org>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Sendmail recommended permissions for apache/php server
Message-ID:  <20120412095109.63ce0715.freebsd@edvax.de>
In-Reply-To: <4F86818D.8000402@FreeBSD.org>
References:  <AC28A3ECE8FFEA4CAE20B2B79FDB8F709B6DDB@server01.msdi.local> <20120412034932.b6b7de0a.freebsd@edvax.de> <4F86818D.8000402@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, 12 Apr 2012 08:17:33 +0100, Matthew Seaman wrote:
> On 12/04/2012 02:49, Polytropon wrote:
> > On Wed, 11 Apr 2012 23:57:51 +0000, Ian Lord wrote:
> >> > I then got a different error in /var/log/messages
> >> > Apr 11 19:38:40 dev sendmail[41170]: NOQUEUE: SYSERR(www): can not write to queue directory /var/spool/clientmqueue/ (RunAsGid=0, required=25): Permission denied
> 
> >> > I found very old threads saying to change the group of apache
> >> > to "smmsp" but I doubt it's a good idea.
> 
> > No, not "change to", but you can _add_ apache (or whatever is
> > originating the error) to the smmsp group. Add it to "smmsp:*:25:"
> > in /etc/group.
> 
> You should not be changing the ownership and permissions on any of the
> directories used by sendmail(8), or the group membership of any of the
> groups used by sendmail.  Not even if you think you know what you are
> doing.  This is extremely security sensitive, and getting it wrong means
> at minimum unprivileged users can forge e-mails untraceably[*].

You're right - as long as sendmail works properly (and is invoked
by whatever means sends e-mail out of apache / PHP), the present
group settings and permissions should be okay. Sendmail will
then properly run "as the smmsp group member" which will enable
it to properly access the queue directory.



> There is no reason for apache to have any sort of write permissions to
> /var/spool/clientmqueue -- that should only be accessible to sendmail,
> and sendmail is the only program that should ever use it.

I'm not aware of why a program should directly access the mail
queues, but maybe that's a "special" PHP feature. :-)




-- 
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120412095109.63ce0715.freebsd>