news...@acrocat.com wrote: > Hi Franz - > > /etc/mail was: > drwxr-sr-x 9 smmta smmsp > > /etc/mail/smrsh/ > drwsr-sr-x 2 root root > > I changed them to what you had below (755 root:root). Same error: > > Cannot exec /etc/mail/smrsh: Permission denied > Jan 27 21:14:10 acrocatlabs sm-mta[11770]: p0QDZfKc004026: > to="|/usr/bin/dspam --user global --class=spam --source=error", > ctladdr=<s...@acrocat.com> (8/0), delay=1+07:38:26, xdelay=00:00:00, maile > > I'm really stumped on this one. If they are 755 root:root, how can root > not have perms to do this? > > One thing I noticed: > ls -la /etc/mail/smrsh > drwsr-sr-x 2 root root 4096 2011-01-24 14:14 . > lrwxrwxrwx 1 root root 14 2011-01-24 14:14 dspam -> /usr/bin/dspam > lrwxrwxrwx 1 root root 26 2011-01-19 19:54 mail.local -> > /usr/lib/sm.bin/mail.local > lrwxrwxrwx 1 root root 17 2011-01-19 19:54 procmail -> > /usr/bin/procmail > > ls -la /usr/bin/dspam > -r-xr-s--- 1 root mail 258639 2011-01-26 15:25 /usr/bin/dspam > ls -la /usr/bin/procmail > -rwsr-sr-x 1 root mail 89176 2010-08-04 19:49 /usr/bin/procmail > > The actual binaries are root:mail and the links under ../smrsh are > root:root... could that be the issue? > > Ed > > On 1/27/2011 10:04 PM, Frantisek Hanzlik wrote: >> >> It looks fine... >> But, maybe are bad permissions on "/etc/mail" and "/etc/mail/smrsh" >> directories himself. You wrote in previous mail they are: >> >> ls -la /etc/mail/smrsh/ >> drwxr-sr-x 2 root root 4096 2011-01-24 14:14 . >> drwxr-sr-x 9 smmta smmsp 4096 2011-01-26 09:06 .. >> >> Here is suspicious SGID bit on both direstories. >> Fedora has "smrsh" directory directly under /etc, with permissions: >> ls -ld /etc/smrsh >> drwxr-xr-x. 2 root root 4096 21. led 00.40 /etc/smrsh >> >> ls -ld /etc/mail >> drwxr-xr-x. 2 root root 4096 25. led 11.42 /etc/mail >> >> I think there isn't any reason to have SGID bits set on both these >> directories, on the contrary this may cause these problems when sendmail >> does any security checks. >> >> Franta Hanzlik
Oh, I make mistake - when sendmail call LDA, it is done with recipient credentials. Thus, /usr/bin/dspam should be world runnable. Franta Hanzlik ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Dspam-user mailing list Dspam-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspam-user
