Package: sendmail Version: 8.15.2-12 Severity: grave Tags: patch -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On upgrade to buster, sendmail upgrade failed with this message: > start-stop-daemon: matching only on non-root pidfile > /var/run/sendmail/mta/sendmail.pid is insecure Some work with Google found Debian bug #922395, which, although not for sendmail, pointed the way to the solution. The following patch for /etc/init.d/sendmail should fix the problem: - --------- CUT HERE ---------- *** sendmail.orig 2019-07-20 23:35:49.360737086 -0400 - --- sendmail 2019-07-20 22:40:04.782571907 -0400 *************** *** 149,163 **** - --- 149,166 ---- --start"; STOP_MTAL_CMD="start-stop-daemon \ --pidfile $MTAL_PIDFILE \ + --exec $MTA_DAEMON \ --name sendmail-mta \ --stop"; SIGNAL_MTAL_CMD="start-stop-daemon \ --pidfile $MTAL_PIDFILE \ + --exec $MTA_DAEMON \ --name sendmail-mta \ --stop"; START_MTAQ_CMD="start-stop-daemon \ --pidfile $MTAQ_PIDFILE \ --make-pidfile \ + --exec $MTA_DAEMON \ --startas $MTA_COMMAND \ --start"; STOP_MTAQ_CMD="start-stop-daemon \ *************** *** 165,170 **** - --- 168,174 ---- --stop"; SIGNAL_MTAQ_CMD="start-stop-daemon \ --pidfile $MTAQ_PIDFILE \ + --exec $MTA_DAEMON \ --name sendmail-mta \ --stop"; START_MSP_CMD="start-stop-daemon \ - --------- CUT HERE ---------- It may also be necessary to delete /var/run/sendmail/mta/sendmail.pid as well. Note: Although probably not a sendmail problem (start-stop daemon?), it might be advisable to re-word the error message. "matching only on non-root pidfile xxx.pid is insecure" is rather cryptic, and does not point the way to fixing the problem. .....Ron Murray - -- Package-specific info: Output of /usr/share/bug/sendmail/script: ls -alR /etc/mail: /etc/mail: total 568 drwxr-sr-x 8 smmta smmsp 4096 Jul 20 22:42 . drwxr-xr-x 260 root root 16384 Jul 20 23:16 .. - -rwxr-xr-- 1 root smmsp 12904 Jul 20 22:42 Makefile - -rw------- 1 root smmsp 5526 Jul 20 22:42 access - -rw-r----- 1 smmta smmsp 12288 Jul 20 22:42 access.db - -rw-r--r-- 1 root smmsp 5432 Jul 2 2018 access.old - -rw------- 1 root root 2084 Nov 4 2014 access.orig - -rw-r--r-- 1 root root 281 Sep 5 2004 address.resolve lrwxrwxrwx 1 root smmsp 10 Mar 28 2015 aliases -> ../aliases - -rw-r----- 1 smmta smmsp 12288 Jul 21 2017 aliases.db - -rw-r--r-- 1 root root 1040 Nov 25 2007 aliases.orig drwx--S--- 2 root smmsp 45 Jun 18 2017 auth - -rw-r--r-- 1 root root 3722 Jul 20 22:42 databases - -rw-r--r-- 1 root root 3720 Oct 22 2014 databases.orig - -rw-r----- 1 smmta smmsp 42 Apr 7 2004 default-auth-info - -rw-r--r-- 1 smmta smmsp 0 Oct 1 2000 domaintable - -rw-r--r-- 1 root root 5659 Dec 8 2016 helpfile - -rw-r--r-- 1 smmta smmsp 21 Apr 7 2004 local-host-names drwxr-sr-x 2 smmta smmsp 81 Jul 20 20:54 m4 - -rw-r--r-- 1 smmta smmsp 15 Sep 25 2008 mailertable - -rw-r----- 1 root smmsp 12288 Jun 18 2017 mailertable.db - -rw-r--r-- 1 smmta smmsp 12973 Jun 4 2015 mimedefang-filter - -rw-r--r-- 1 smmta smmsp 12973 Jun 4 2015 mimedefang-filter.spamassassin - -rw-r--r-- 1 smmta smmsp 4108 Aug 18 2006 mimedefang.conf.12596 - -rw-r--r-- 1 smmta smmsp 4108 Dec 28 2006 mimedefang.conf.13657 - -rw-r--r-- 1 smmta smmsp 4108 Jan 30 2007 mimedefang.conf.15047 - -rw-r--r-- 1 smmta smmsp 4108 Mar 16 2007 mimedefang.conf.25782 - -rw-r--r-- 1 smmta smmsp 4108 Apr 26 2005 mimedefang.conf.5937 - -rw-r--r-- 1 smmta smmsp 4108 Nov 21 2006 mimedefang.conf.6382 - -rw-r--r-- 1 smmta smmsp 4108 Mar 27 2006 mimedefang.conf.7263 - -rw-r--r-- 1 root root 276 Feb 11 2005 mimedefang.pl.conf drwxr-xr-x 2 root root 21 Jul 20 20:51 peers - -rw-r--r-- 1 smmta smmsp 0 Jan 30 2002 relay-domains - -rw-r--r-- 1 root root 4297 May 14 2018 sa-mimedefang.cf drwxr-xr-x 2 smmta smmsp 132 May 24 2015 sasl - -rw-r--r-- 1 smmta smmsp 54 Apr 4 2015 sendmail.cN - -rw-r--r-- 1 root smmsp 75517 Jul 20 22:42 sendmail.cf - -rw-r--r-- 1 root root 75514 Jul 20 22:42 sendmail.cf.old - -rw-r--r-- 1 root root 12235 Jul 20 22:42 sendmail.conf - -rw-r--r-- 1 root root 12222 Oct 22 2014 sendmail.conf.orig - -rw-r--r-- 1 smmta smmsp 15 Apr 3 2015 sendmail.ct - -rw-r--r-- 1 smmta smmsp 209 Mar 2 2008 sendmail.cw - -rw-r--r-- 1 root smmsp 8600 Jul 20 22:42 sendmail.mc - -rw-r--r-- 1 root root 148 Sep 15 2018 service.switch - -rw-r--r-- 1 root root 179 Sep 15 2018 service.switch-nodns drwxr-sr-x 2 smmta smmsp 53 Nov 7 2014 smrsh lrwxrwxrwx 1 root root 15 Nov 7 2014 spamassassin -> ../spamassassin - -rw-r--r-- 1 root smmsp 45240 Jul 20 22:42 submit.cf - -rw-r--r-- 1 root root 45230 Jul 20 22:42 submit.cf.old - -rw-r--r-- 1 root smmsp 2475 Jul 20 22:42 submit.mc drwxr-xr-x 3 smmta smmsp 4096 Jul 8 2015 tls - -rw-r--r-- 1 smmta smmsp 0 Apr 4 2004 trusted-users - -rw-r--r-- 1 smmta smmsp 152 Mar 2 2008 virtusertable - -rw-r----- 1 root smmsp 12288 Jun 18 2017 virtusertable.db /etc/mail/m4: total 16 drwxr-sr-x 2 smmta smmsp 81 Jul 20 20:54 . drwxr-sr-x 8 smmta smmsp 4096 Jul 20 22:42 .. - -rw-r--r-- 1 root root 790 Jan 30 2017 clamav-milter.m4 - -rw-r----- 1 smmta smmsp 838 Jul 18 2009 dialup.m4 - -rw-r--r-- 1 root root 107 Jul 2 2016 opendkim.m4 - -rw-r----- 1 smmta smmsp 0 Apr 4 2004 provider.m4 /etc/mail/peers: total 8 drwxr-xr-x 2 root root 21 Jul 20 20:51 . drwxr-sr-x 8 smmta smmsp 4096 Jul 20 22:42 .. - -rw-r--r-- 1 root root 328 Sep 17 2003 provider /etc/mail/sasl: total 24 drwxr-xr-x 2 smmta smmsp 132 May 24 2015 . drwxr-sr-x 8 smmta smmsp 4096 Jul 20 22:42 .. lrwxrwxrwx 1 root root 15 Nov 7 2014 Sendmail.conf -> Sendmail.conf.2 - -rw-r--r-- 1 root root 658 Sep 21 2004 Sendmail.conf.1 - -rw-r----- 1 smmta smmsp 776 Feb 4 2012 Sendmail.conf.2 - -rwxr--r-- 1 root root 3685 Jul 20 22:42 sasl.m4 - -rw-r--r-- 1 root root 589 Sep 21 2004 saslpasswd.conf.1 - -rw-r--r-- 1 root root 701 Sep 21 2004 saslpasswd.conf.2 /etc/mail/smrsh: total 4 drwxr-sr-x 2 smmta smmsp 53 Nov 7 2014 . drwxr-sr-x 8 smmta smmsp 4096 Jul 20 22:42 .. lrwxrwxrwx 1 root root 26 Nov 7 2014 mail.local -> /usr/lib/sm.bin/mail.local lrwxrwxrwx 1 root root 17 Nov 7 2014 procmail -> /usr/bin/procmail lrwxrwxrwx 1 root root 17 Nov 7 2014 vacation -> /usr/bin/vacation /etc/mail/tls: total 60 drwxr-xr-x 3 smmta smmsp 4096 Jul 8 2015 . drwxr-sr-x 8 smmta smmsp 4096 Jul 20 22:42 .. lrwxrwxrwx 1 root root 11 Jun 4 2015 53395837.0 -> rjmx-ca.crt lrwxrwxrwx 1 root root 20 Jun 4 2015 d521656a.0 -> rjmx-mail-client.crt - -rw-r--r-- 1 root root 424 Jul 8 2015 dhparams.pem lrwxrwxrwx 1 root root 13 Jun 4 2015 f99016ee.0 -> rjmx-mail.crt - -rw-r--r-- 1 root root 7 Apr 4 2004 no_prompt drwxr-xr-x 2 root root 118 Nov 7 2014 old lrwxrwxrwx 1 root root 26 Nov 7 2014 rjmx-ca.crt -> /etc/ssl/certs/rjmx-ca.crt lrwxrwxrwx 1 root root 35 Nov 7 2014 rjmx-mail-client.crt -> /etc/ssl/certs/rjmx-mail-client.crt lrwxrwxrwx 1 root root 34 Nov 7 2014 rjmx-mail-client.key -> /etc/ssl/keys/rjmx-mail-client.key lrwxrwxrwx 1 root root 28 Nov 7 2014 rjmx-mail.crt -> /etc/ssl/certs/rjmx-mail.crt lrwxrwxrwx 1 root root 27 Nov 7 2014 rjmx-mail.key -> /etc/ssl/keys/rjmx-mail.key - -rw------- 1 root root 1190 Apr 4 2004 sendmail-client.cfg - -rw-r--r-- 1 root smmsp 822 Apr 4 2004 sendmail-client.crt - -rw------- 1 root root 639 Apr 4 2004 sendmail-client.csr - -rw-r----- 1 root smmsp 887 Apr 4 2004 sendmail-common.key - -rw-r--r-- 1 root smmsp 245 Mar 26 2008 sendmail-common.prm - -rw------- 1 root root 1190 Apr 4 2004 sendmail-server.cfg - -rw-r--r-- 1 root smmsp 822 Apr 4 2004 sendmail-server.crt - -rw------- 1 root root 639 Apr 4 2004 sendmail-server.csr - -rwxr--r-- 1 root root 3246 Jul 20 22:42 starttls.m4 - -rw-r--r-- 1 root root 2478 May 14 2004 starttls.m4.1 - -rw-r--r-- 1 smmta smmsp 2465 May 15 2004 starttls.m4.2 /etc/mail/tls/old: total 24 drwxr-xr-x 2 root root 118 Nov 7 2014 . drwxr-xr-x 3 smmta smmsp 4096 Jul 8 2015 .. - -rw-r--r-- 1 root root 1326 May 8 2001 rjmx-ca.crt - -rw-r--r-- 1 smmta smmsp 3714 Mar 27 2004 rjmx-mail-client.crt - -rw-r----- 1 smmta smmsp 887 Mar 27 2004 rjmx-mail-client.key - -rw-r--r-- 1 smmta smmsp 3674 May 25 2002 rjmx-mail.crt - -rw-r----- 1 smmta smmsp 887 May 25 2002 rjmx-mail.key sendmail.conf: DAEMON_NETMODE="Static"; DAEMON_NETIF="eth0"; DAEMON_MODE="Daemon"; DAEMON_PARMS=""; DAEMON_HOSTSTATS="No"; DAEMON_MAILSTATS="No"; QUEUE_MODE="${DAEMON_MODE}"; QUEUE_INTERVAL="10m"; QUEUE_PARMS=""; MSP_MODE="Cron"; MSP_INTERVAL="20m"; MSP_PARMS=""; MSP_MAILSTATS="${DAEMON_MAILSTATS}"; MISC_PARMS=""; CRON_MAILTO="root"; CRON_PARMS=""; LOG_CMDS="No"; HANDS_OFF="No"; AGE_DATA=""; DAEMON_RUNASUSER="No"; DAEMON_STATS="${DAEMON_MAILSTATS}"; MSP_STATS="${MSP_MAILSTATS}"; sendmail.mc: divert(-1) divert(0) define(`_USE_ETC_MAIL_')dnl include(`/usr/share/sendmail/cf/m4/cf.m4')dnl VERSIONID(`@(#)sendmail.mc 8.9.3-21 (Debian) 20000309') OSTYPE(`debian')dnl DOMAIN(`debian-mta')dnl undefine(`confHOST_STATUS_DIRECTORY')dnl #DAEMON_HOSTSTATS include(`/etc/mail/tls/starttls.m4')dnl include(`/etc/mail/sasl/sasl.m4')dnl define(`confTO_CONNECT', `1m') define(`confTRY_NULL_MX_LIST',true) define(`confDONT_PROBE_INTERFACES',true) define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail') define(`confCW_FILE',`/etc/mail/sendmail.cw') define(`confCT_FILE',`/etc/mail/sendmail.ct') define(`RELAY_MAILER_ARGS', `TCP $h 587') define(`ESMTP_MAILER_ARGS', `TCP $h 587') define(`confPRIVACY_FLAGS',dnl `needmailhelo,needexpnhelo,needvrfyhelo,restrictqrun,restrictexpand,nobodyreturn,authwarnings')dnl define(`confCONNECTION_RATE_THROTTLE', `15')dnl define(`confCONNECTION_RATE_WINDOW_SIZE',`10m')dnl define(`SMART_HOST',`smtp.comcast.net')dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl FEATURE(`smrsh')dnl FEATURE(`mailertable',`hash -o /etc/mail/mailertable') FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable') FEATURE(redirect) FEATURE(always_add_domain) FEATURE(use_cw_file) FEATURE(use_ct_file) FEATURE(local_procmail) FEATURE(`access_db', , `skip')dnl FEATURE(`blacklist_recipients') FEATURE(`greet_pause', `1000')dnl 1 seconds FEATURE(`delay_checks', `friend', `n')dnl define(`confBAD_RCPT_THROTTLE',`3')dnl FEATURE(`conncontrol', `nodelay', `terminate')dnl FEATURE(`ratecontrol', `nodelay', `terminate')dnl FEATURE(`masquerade_envelope') FEATURE(masquerade_entire_domain) FEATURE(`preserve_local_plus_detail') FEATURE(`no_default_msa', `dnl')dnl DAEMON_OPTIONS(`Family=inet6, Name=MTA-v6, Port=smtp')dnl DAEMON_OPTIONS(`Family=inet6, Name=MTA-v6, Port=2525')dnl DAEMON_OPTIONS(`Family=inet6, Name=MSP-v6, Port=submission, M=Ea')dnl INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass/spamass.sock, F=, T=C:4m;S:4m;R:4m;E:4m')dnl INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav/clamav-milter.ctl, F=, T=S:4m;R:4m')dnl INPUT_MAIL_FILTER(`mimedefang', `S=unix:/var/spool/MIMEDefang/mimedefang.sock, F=T, T=S:1m;R:1m')dnl INPUT_MAIL_FILTER(`opendkim', `S=local:/var/run/opendkim/opendkim.sock')dnl INPUT_MAIL_FILTER(`opendmarc', `S=local:/var/run/opendmarc/opendmarc.sock')dnl define(`confMILTER_MACROS_CONNECT', `t, b, j, _, {daemon_name}, {if_name}, {if_addr}, {client_resolve}')dnl define(`confMILTER_MACROS_HELO',`s, {tls_version}, {cipher}, {cipher_bits}, {cert_subject}, {cert_issuer}')dnl define(`confMILTER_MACROS_ENVRCPT',`r, v, Z, {auth_type}, {rcpt_mailer}, {rcpt_host}, {rcpt_addr}')dnl define(`confINPUT_MAIL_FILTERS', `clamav,mimedefang,spamassassin, opendkim,opendmarc')dnl MAILER(smtp) MAILER(procmail) MAILER(local)dnl LOCAL_CONFIG MASQUERADE_AS(rjmx.net) Dwmail Dmrjmx.net define(`confDOMAIN_NAME', `$w.$m')dnl define(`ALIAS_FILE',`/etc/mail/aliases') define(`confLOCAL_MAILER', `cyrus') define(`CYRUS_MAILER_USER', `cyrus:mail') MAILER_DEFINITIONS Mcyrus, P=[IPC], F=lsDFMnqA@/:|SmXz, E=\r\n, S=EnvFromL, R=EnvToL/HdrToL, T=DNS/RFC822/X-Unix, A=FILE /run/cyrus/socket/lmtp LOCAL_RULE_0 R$=N $: $#local $: $1 R$=N < @ $=w . > $: $#local $: $1 Rbb + $+ < @ $=w . > $#cyrus $: + $1 LOCAL_CONFIG H?l?X-Envelope-From: $f FN /etc/mail/sendmail.cN O CipherList=HIGH:!ADH O DHParameters=/etc/mail/tls/dhparams.pem O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 define(`confBIND_OPTS', `WorkAroundBrokenAAAA') submit.mc... divert(-1)dnl divert(0)dnl define(`_USE_ETC_MAIL_')dnl include(`/usr/share/sendmail/cf/m4/cf.m4')dnl VERSIONID(`$Id: submit.mc, v 8.12.1-5 2001-12-14 13:11:55 cowboy Exp $') OSTYPE(`debian')dnl DOMAIN(`debian-msp')dnl include(`/etc/mail/tls/starttls.m4')dnl include(`/etc/mail/sasl/sasl.m4')dnl FEATURE(`msp', `[127.0.0.1]', `25')dnl - -- System Information: Debian Release: 10.0 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-5-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages sendmail depends on: ii sendmail-base 8.15.2-12 ii sendmail-bin 8.15.2-12 ii sendmail-cf 8.15.2-12 ii sensible-mda 8.15.2-12 sendmail recommends no packages. Versions of packages sendmail suggests: ii rmail 8.15.2-12 ii sendmail-doc 8.15.2-12 Versions of packages sensible-mda depends on: ii libc6 2.28-10 ii procmail 3.22-26 ii sendmail-bin [mail-transport-agent] 8.15.2-12 Versions of packages rmail depends on: ii libc6 2.28-10 ii libldap-2.4-2 2.4.47+dfsg-3 ii sendmail-bin [mail-transport-agent] 8.15.2-12 Versions of packages libmilter1.0.1 depends on: ii libc6 2.28-10 Versions of packages sendmail-bin depends on: ii debconf 1.5.71 ii libc6 2.28-10 ii libdb5.3 5.3.28+dfsg1-0.5 ii libldap-2.4-2 2.4.47+dfsg-3 ii liblockfile1 1.14-1.1 ii libsasl2-2 2.1.27+dfsg-1 ii libssl1.1 1.1.1c-1 ii libwrap0 7.6.q-28 ii lsb-base 10.2019051400 ii procps 2:3.3.15-2 ii sendmail-base 8.15.2-12 ii sendmail-cf 8.15.2-12 Versions of packages sendmail-bin suggests: ii libsasl2-modules 2.1.27+dfsg-1 ii openssl 1.1.1c-1 ii sasl2-bin 2.1.27+dfsg-1 ii sendmail-doc 8.15.2-12 - -- no debconf information -----BEGIN PGP SIGNATURE----- iQJCBAEBCgAsFiEETZlw4yMXM0sUHntjEvfoZbXi52EFAl0z3xUOHHJqbXhAcmpt eC5uZXQACgkQEvfoZbXi52G8UQ/8CE3E/95apdoq9x4m53OMV3ojzXJGe5LKJmZ5 X4KZ/Saanp+nVkAIgYrEVHM2hxxIhho+UVrAs/ACpLc/D9/V2dkFveTqj9XYxl4l RwLTc/216MOSGmi/3qqyiRhDV+p9HZV2NAoxzVGOqUc9gHw+o0xJsXjJBk7/Gza/ Ef3cUlWf36IHS+VSumI5gKoBlfrd+4xE+1B1EGrBqW7cgsZToprfe8HYeupxMRFd RC21/0IUuzv8sdu2bPAIydm9bTP+oiOWnsNudLVukSITDN+/vbujHt02EV+fB4FU HbDdHgpaXGQ5T2wGQNwtC0RcMAJpTtdCsWy3HJ15ybZ+7AlEsUQ27yuPil1hj0HS /m0t2S8o3l8B4KjtP54qmHYQn5vvELbiaJnhd9uFLKhqLNDqgUB2Yz//jW6kBgHQ 8Z+UNxkXGvewH22QmnasU9+29eNAMiSLi40Tb6C23OzgXH4qo8Ztqwt4TJ2xZ4Ax vxPPMxvzDVNo1O3pi2eWZGaWwVcAGO2gASgplfZe1cW/fUydtcwfiFIQvkH7t43I 924i+f5/Mo6cgX1YPuHX7Y8WH8gVDsFR/h2N5uuNeTSwR8Xz1CLfu7IjwUOpECnP srHh13f+/JD3FHofzOiYH3Qq3C23+E6HmRd7P/kxjvNKpYisGJ9uzcGa4zgQfh4D sIFAino= =z4ja -----END PGP SIGNATURE-----