procmail
[Top] [All Lists]

Re: can't write to queue

2003-05-26 08:53:18
On Sun, 25 May 2003 ldg(_at_)ulysium(_dot_)net wrote:

So I'm assuming it's the sendmail binary having trouble, since I can't see
procmail trying to write anything into the sendmail client queue anyway. The
thing is, I do have the sendmail binary with a set gid and group owned by
smmsp, so where's the holdup???


As you have two sendmail programs, are you telling procmail which one to
use?  If you are using ! then maybe not?  Just a guess.

How about using

| /path/to/the/sendmail/I/want/sendmail -t

instead.

Actually, the sendmail binary that is to be used for all this type of local
submission is called sendmail and is in /usr/sbin where everything,
including procmail is looking to find it, so there's no doubt it's the right
one being used. The other binary that is used as the smtp daemon is called
smtpd, so there can't be any confusion.
As I showed in my original post, the sendmail binary that is used as the
smtp daemon (smptd) has only the permission of execute with it's setuid bit
set and is owned by root/system, which works fine.
The sendmail binary that is to be used for the other tasks of submissions
and running the client queue is owned by smmsp/smmsp which is also the
ownership of the client queue folder as well, that binary has only the
execute perms for all, plus the setgid bit, which should make it run as the
group id smmsp and that should allow it to submit to the client queue via
programs like procmail and since the client queue folder has the write perm
turned on for the group smmsp, it shouldn't have any trouble writing there.

The problem is that apparently the setgid bit doesn't have any effect and
that sendmail runs under the gid system at the time of the error, which is
when procmail does its ! and submits to the client queue. The big question
is why isn't the setgid bit having any effect???

I have since fixed this (maybe) by turning on the setuid bit on that
sendmail binary as well, and that has the effect it should have. Since the
sendmail binary is now owned by smmsp/smmsp, with both setuid and setgid
bits set, it no longer has any troubles handling anything in its client
queue folder, which has rwxrwx--- on it and owned by smmsp/smmsp.

I suppose this may actually be ok, as it's all happening under that
non-privileged user smmsp and its own group.
This wasn't explained in the sendmail config info, only to set up the
submission sendmail binary as setgid and not with setuid.
I'm not seeing anything dangerous in what I did, but if anyone sees anything
wrong with that config, please elaborate..
If any one knows the reason for the setgid not having any effect, I'd be
very curious to investigate this as well..

-- 
Didier Godefroy
mailto:dg(_at_)ulysium(_dot_)net


_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail

<Prev in Thread] Current Thread [Next in Thread>