I apologize for bringing up such an old discussion but whatever became of this? I am using 2.0.16 with Sendmail 8.12 and I'm having the same problem that if cyrus isn't the owner of /etc/sasldb the master process can't read it. I have read rights for group mail (which cyrus is a member of) but when I change rights on sasldb to root.mail with rx-r rights Cyrus doesn't work. This did work for 1.6.24 before I upgraded. I set the options in Sendmail to ignore Groupreadable so Sendmail doesn't complain about those rights it's just cyrus. Thanks for any info...
On Sat, 2001-03-10 at 13:29, Lawrence Greenfield wrote: > This is reasonable. Would people be happier if the master process did a setgid() by >default? > > Thanks, > Larry > > --On Wednesday, January 17, 2001 02:54:00 PM +0100 Robert Böhm ><[EMAIL PROTECTED]> wrote: > > > > > > > Hi there. > > > > ----- Original Message ----- > > From: <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > > Sent: Wednesday, January 17, 2001 5:10 AM > > Subject: Re: Authentication Cyrus/sasl > > > > > >> Sendmail and cyrus don't cooperate very well with file access. > > > > I've encountered the following problem in trying to use sendmail w/ SASL > > and cyrus' imap w/ SASL at the same time: > > > > Per default both will want readaccess to the /etc/sasldb. > > Furthermore sendmail usually will not allow this file to be write or > > readable by any other user than the one which it is running as. > > > > This, at first, seems unsolvable, as my sendmail daemon is running as a > > privileged user, as opposed to cyrus imap. > > > > But sendmail is kind enough to offer an option which will allow for the > > /etc/sasldb to be groupreadable. > > So I chmod/own'ed the file to 640/root.cyrus, where the group cyrus is the > > default group for user cyrus, with no other users in it. > > > > I supposed this to work, as > > # su cyrus > > $ cat /etc/sasldb > > did work, too.. but it did not. Cyrus imap, even though running as cyrus, > > did not have the permission to read the file. chown'ing would have worked > > though, but was not an option as it would not have been accepted by > > sendmails security checks. > > > > Well, I have changed the source code of `master`, and now it works. But I > > don't know whether it will impose any security risks or the general > > operability of cyrus imap. > > > > These are my changes to file /usr/src/cyrus-imapd-2.07/master/master.c : > > > > int become_cyrus(void) > > { > > struct passwd *p; > > static int uid = 0; > > + static int gid = 0; > > > > - if (uid) return setuid(uid); > > + if (uid&&gid) return (setgid(gid) || setuid(uid)) ; > > > > p = getpwnam(CYRUS_USER); > > if (p == NULL) { > > syslog(LOG_ERR, "no entry in /etc/passwd for %s", > > CYRUS_USER); return -1; > > } > > uid = p->pw_uid; > > + gid = p->pw_gid; > > - return setuid(uid); > > + return (setgid(gid) | setuid(uid)) ; > > } > > > > Any comment on whether this course of action is acceptable is welcome. > > > > Thanks, Robert. > > > > --- > > The universe is filled with dark letters even though we can't see them. > > 90% of all letters are dark. > > > > > > -- David W. Jablonski, RHCE, MCSE Systems Administrator http://www.weccusa.org http://www.energyfinancesolutions.com