Nix, I follow you.. when cyrus runs sendmail , it has GID=smmsp and since
/var/spool/clientmqueue has rwxrwx smmsp smmsp,
it SHOULD be able to put files in there.... but it does'nt.
i did telnet localhost smtp , tried sending to a user with a sieve
vacation/redirect and did strace on the process
but it did'nt reveal anything interesting. i even straced the master
process. I dont think you can strace timesieved since that is a fork off
cyrus and listens on socket.
Raz
Nikola Milutinovic wrote:
Razmik Ghanaghounian wrote:
Privet Sergey..
i put trusted users 'cyrus' in submit.cf and it did'nt help.. here is
the cut from my submit.cf
#####################
# Trusted users #
#####################
# this is equivalent to setting class "t"
#Ft/etc/mail/trusted-users
Troot
Tdaemon
Tuucp
Tcyrus
and Nikola... the permissions on sendmail binary is
r-xr-sr-x r root smmsp
so yes, it is setGid smmsp
anyways setting g+w on /var/spool/clientmqueue and making cyrus
member of smmsp does the trick but i know it is'nt the right way.
The SECURITY file of the Sendmail distribution explains this to some
length, but I'll just give you the gist.
Older versions of Sendmail had the binary set to "rwsr-xr-x", with
SetUID=root. This allowed any user on the system to use sendmail to
send mail to another local user (sendmail had to be root in order to
invoke /bin/mail as root, which delivered to /var/spool/mail/*). Newer
versions have actually 2 daemons using the same binary. Three system
accounts are in play here, "root", "smmta" and "smmsp". MTA daemon
runs as "root" and drops to "smmta" when it handles a connection.
MTA-queue scans /var/spool/clientmqueue and if it sees a mail in it,
delivers it as "root". Sendmail binary is SetGID to "smmsp" and any
user running it will run it with that group ID, allowing any user on
the system to submit messages to /var/spool/clientmqueue, in case MSP
cannot contact MTA directly (over the socket).
So, to summarize, "cyrus" shouldn't be a member of "smmsp" group, but
rwxrwx--- on /var/spool/clientmqueue is a must.
Nix.
----
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
----
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
