From owner-freebsd-questions@FreeBSD.ORG Thu Apr 12 13:39:35 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D8092106566C; Thu, 12 Apr 2012 13:39:35 +0000 (UTC) (envelope-from lordi@msdi.ca) Received: from relais.videotron.ca (relais.videotron.ca [24.201.245.36]) by mx1.freebsd.org (Postfix) with ESMTP id A7D0A8FC0A; Thu, 12 Apr 2012 13:39:35 +0000 (UTC) MIME-version: 1.0 Content-type: text/plain; charset=iso-8859-1 Received: from server01.msdi.local ([184.161.83.132]) by VL-VM-MR005.ip.videotron.ca (Oracle Communications Messaging Exchange Server 7u4-22.01 64bit (built Apr 21 2011)) with ESMTP id <0M2D00J4XCLT83C0@VL-VM-MR005.ip.videotron.ca>; Thu, 12 Apr 2012 09:39:29 -0400 (EDT) Received: from SERVER01.msdi.local ([::1]) by server01.msdi.local ([::1]) with mapi id 14.02.0283.003; Thu, 12 Apr 2012 09:40:32 -0400 From: Ian Lord To: 'Matthew Seaman' Thread-topic: Sendmail recommended permissions for apache/php server Thread-index: Ac0YPYZroDjcEr5HTNqPZobUXzbABQAMoH8AAA/4X9A= Date: Thu, 12 Apr 2012 13:40:32 +0000 Message-id: References: <20120412034932.b6b7de0a.freebsd@edvax.de> In-reply-to: <20120412034932.b6b7de0a.freebsd@edvax.de> Accept-Language: en-US, fr-CA Content-language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: X-Originating-IP: [192.168.0.151] Content-transfer-encoding: quoted-printable Cc: "'freebsd-questions@freebsd.org'" Subject: RE: Sendmail recommended permissions for apache/php server X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Apr 2012 13:39:35 -0000 >You should not be changing the ownership and permissions on any of the >directories used by sendmail(8), or the group membership of any of the >groups used by sendmail. Not even if you think you know what you are >doing. This is extremely security sensitive, and getting it wrong means >at minimum unprivileged users can forge e-mails untraceably[*]. That's what I thought, I found it to work but preferred to ask on the list = since it didn't make sense to me :) >To the OP -- can you execute sendmail outside PHP? If you can use >mail(1) to send a test e-mail, then sendmail should be fine. Note: test >this as an unprivileged user. No it doesn't work, just tried it: %mail -s Hello lordi@msdi.ca Hello ! . EOT %WARNING: RunAsUser for MSP ignored, check group ids (egid=3D0, want=3D25) can not chdir(/var/spool/clientmqueue/): Permission denied Program mode requires special privileges, e.g., root or TrustedUser. Apr 12 08:47:08 dev sendmail[94980]: NOQUEUE: SYSERR(msdi): can not chdir(/= var/spool/clientmqueue/): Permission denied >What are the permissions on /usr/libexec/sendmail/sendmail ? They should >look like this: >% ls -la /usr/libexec/sendmail/sendmail >-r-xr-sr-x 1 root smmsp 662136 Apr 1 08:38 >/usr/libexec/sendmail/sendmail # ls -al /usr/libexec/sendmail/sendmail -r-xr-sr-x 1 root wheel 707160 Jan 3 02:57 /usr/libexec/sendmail/sendma= il So the group is wrong... I changed it from wheel to smmsp and everything wo= rks fine now ! Thanks a lot for the fix, but this server is a clean install of 9.0-RELEASE= that I installed about 2-3 months ago. I never changed the permission myse= lf on that file so I guess there is something wrong that would need to be f= ixed (unless it's already fixed in newer versions). Thanks again ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Ian Lord MSD Informatique 143 Rue des Fauvettes St-Colomban=A0(Qu=E9bec) J5K 0E2 T=E9l: (514) 776-MSDI=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 -> (514) 776-6= 734 Sans Frais: 1(877) 776-MSDI -> 1(877) 776-6734 http://www.msdi.ca