I apologize for bringing up such an old discussion but whatever became
of this? I am using 2.0.16 with Sendmail 8.12 and I'm having the same
problem that if cyrus isn't the owner of /etc/sasldb the master process
can't read it. I have read rights for group mail (which cyrus is a
member of) but when I change rights on sasldb to root.mail with rx-r
rights Cyrus doesn't work. This did work for 1.6.24 before I upgraded.
I set the options in Sendmail to ignore Groupreadable so Sendmail
doesn't complain about those rights it's just cyrus. Thanks for any
info...
On Sat, 2001-03-10 at 13:29, Lawrence Greenfield wrote:
> This is reasonable. Would people be happier if the master process did a setgid() by
>default?
>
> Thanks,
> Larry
>
> --On Wednesday, January 17, 2001 02:54:00 PM +0100 Robert Böhm
><[EMAIL PROTECTED]> wrote:
>
> >
> >
> > Hi there.
> >
> > ----- Original Message -----
> > From: <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
> > Sent: Wednesday, January 17, 2001 5:10 AM
> > Subject: Re: Authentication Cyrus/sasl
> >
> >
> >> Sendmail and cyrus don't cooperate very well with file access.
> >
> > I've encountered the following problem in trying to use sendmail w/ SASL
> > and cyrus' imap w/ SASL at the same time:
> >
> > Per default both will want readaccess to the /etc/sasldb.
> > Furthermore sendmail usually will not allow this file to be write or
> > readable by any other user than the one which it is running as.
> >
> > This, at first, seems unsolvable, as my sendmail daemon is running as a
> > privileged user, as opposed to cyrus imap.
> >
> > But sendmail is kind enough to offer an option which will allow for the
> > /etc/sasldb to be groupreadable.
> > So I chmod/own'ed the file to 640/root.cyrus, where the group cyrus is the
> > default group for user cyrus, with no other users in it.
> >
> > I supposed this to work, as
> > # su cyrus
> > $ cat /etc/sasldb
> > did work, too.. but it did not. Cyrus imap, even though running as cyrus,
> > did not have the permission to read the file. chown'ing would have worked
> > though, but was not an option as it would not have been accepted by
> > sendmails security checks.
> >
> > Well, I have changed the source code of `master`, and now it works. But I
> > don't know whether it will impose any security risks or the general
> > operability of cyrus imap.
> >
> > These are my changes to file /usr/src/cyrus-imapd-2.07/master/master.c :
> >
> > int become_cyrus(void)
> > {
> > struct passwd *p;
> > static int uid = 0;
> > + static int gid = 0;
> >
> > - if (uid) return setuid(uid);
> > + if (uid&&gid) return (setgid(gid) || setuid(uid)) ;
> >
> > p = getpwnam(CYRUS_USER);
> > if (p == NULL) {
> > syslog(LOG_ERR, "no entry in /etc/passwd for %s",
> > CYRUS_USER); return -1;
> > }
> > uid = p->pw_uid;
> > + gid = p->pw_gid;
> > - return setuid(uid);
> > + return (setgid(gid) | setuid(uid)) ;
> > }
> >
> > Any comment on whether this course of action is acceptable is welcome.
> >
> > Thanks, Robert.
> >
> > ---
> > The universe is filled with dark letters even though we can't see them.
> > 90% of all letters are dark.
> >
>
>
>
>
--
David W. Jablonski, RHCE, MCSE
Systems Administrator
http://www.weccusa.org
http://www.energyfinancesolutions.com
