netbsd-help: Re: bad sendmail permissions

Subject: Re: bad sendmail permissions
To: None <netbsd-help@netbsd.org>
From: Frederick Bruckman <fredb@immanent.net>
List: netbsd-help
Date: 01/05/2005 03:55:33
In article <BAY102-F40AA7316464FCCEEC9EB84C5920@phx.gbl>,
	"Old Thrashbarg" <bsd_beats_ms@hotmail.com> writes:
> Sorry for sending this through Hotmail, I didnt have much of a choice. Also 
> CC me a copy of anything you post about this because my server can't receive 
> mail either.
> 
> 
> Reacently sendmail has decided to stop sending mail because of a permissions 
> problem, I'm guessing a few permissions were changed when the power went out 
> during the last storm.
> 
> [kaput]:~$ sendmail -v bsd_beats_ms@hotmail.com
> subject: test
> this is a test
> collect: Cannot write ./dfj03FWkOn005035 (bfcommit, uid=1008, gid=1001): 
> Permission denied

So, 1008:1001 is your user?  That message can't be coming from the
setgid "smmsp" mail submission program. Are you sure you started the
(main) sendmail daemon as root? (hint: "/etc/rc.d/sendmail restart")
 
> Originaly this gave out two permission denied errors but I cleaned that up 
> by changing the permissions of /var/spool/mqueue which was originally owend 
> by root:wheel.

It *should* *be* root:wheel.  What's supposed to happen, is that
"sendmail" in path -- "/usr/sbin/sendmail" -- is a symlink to
"/usr/sbin/mailwrapper". It sees the line in "/etc/mailer.conf"
that redirects "sendmail" to "/usr/libexec/sendmail/sendmail",
the real user submission program, which being setgid "smmsp",
can write to "/var/spool/clientmqueue". Next, the user submission
"sendmail" connects to the running daemon "sendmail" over localhost
port 25. The daemon should be running as root, so it shouldn't
have any problem writing to its own queue ("/var/spool/mqueue").

Now, the trick is, the daemon process "sendmail", running as root,
is really the same executable as the setgid "smmsp" "sendmail". It
just responds differently depending upon how it was invoked. In
particular, to get the secure behaviour when invoked as an ordinary
user, "sendmail" is no longer suid "root", so the daemon *must* *be*
started as "root". Was it?

> drwxrwx---  2 smmsp  smmsp   1024 Jan  4 01:48 clientmqueue/
> drwxrwxr-x  2 smmsp  smmsp    512 Jan  4 02:03 mqueue/

> I cant seem to clear up that permission denied message. Sendmail is owned by 
> root:smmsp and has a set group ID bit. Uid 1008 is my user account, gid 1001 
> is smmsp.


Frederick