news...@acrocat.com wrote: > I hate responding again... I've set /usr/bin/dspam to 551, 6777, 6775, > 755, 777, 2777, 1777, 4777, and a few others, and all with the same > error. Then I tried 2510 which is what I was using on my old RHEL4 > box. Same error as well. > > On 1/27/2011 11:34 PM, Frantisek Hanzlik wrote: >> news...@acrocat.com wrote: >>> Hi Franz - >>> >>> /etc/mail was: >>> drwxr-sr-x 9 smmta smmsp >>> >>> /etc/mail/smrsh/ >>> drwsr-sr-x 2 root root >>> >>> I changed them to what you had below (755 root:root). Same error: >>> >>> Cannot exec /etc/mail/smrsh: Permission denied >>> Jan 27 21:14:10 acrocatlabs sm-mta[11770]: p0QDZfKc004026: >>> to="|/usr/bin/dspam --user global --class=spam --source=error", >>> ctladdr=<s...@acrocat.com> (8/0), delay=1+07:38:26, xdelay=00:00:00, maile >>> >>> I'm really stumped on this one. If they are 755 root:root, how can root >>> not have perms to do this? >>> >>> One thing I noticed: >>> ls -la /etc/mail/smrsh >>> drwsr-sr-x 2 root root 4096 2011-01-24 14:14 . >>> lrwxrwxrwx 1 root root 14 2011-01-24 14:14 dspam -> /usr/bin/dspam >>> lrwxrwxrwx 1 root root 26 2011-01-19 19:54 mail.local -> >>> /usr/lib/sm.bin/mail.local >>> lrwxrwxrwx 1 root root 17 2011-01-19 19:54 procmail -> >>> /usr/bin/procmail >>> >>> ls -la /usr/bin/dspam >>> -r-xr-s--- 1 root mail 258639 2011-01-26 15:25 /usr/bin/dspam >>> ls -la /usr/bin/procmail >>> -rwsr-sr-x 1 root mail 89176 2010-08-04 19:49 /usr/bin/procmail >>> >>> The actual binaries are root:mail and the links under ../smrsh are >>> root:root... could that be the issue? >>> >>> Ed >>> >>> On 1/27/2011 10:04 PM, Frantisek Hanzlik wrote: >>>> It looks fine... >>>> But, maybe are bad permissions on "/etc/mail" and "/etc/mail/smrsh" >>>> directories himself. You wrote in previous mail they are: >>>> >>>> ls -la /etc/mail/smrsh/ >>>> drwxr-sr-x 2 root root 4096 2011-01-24 14:14 . >>>> drwxr-sr-x 9 smmta smmsp 4096 2011-01-26 09:06 .. >>>> >>>> Here is suspicious SGID bit on both direstories. >>>> Fedora has "smrsh" directory directly under /etc, with permissions: >>>> ls -ld /etc/smrsh >>>> drwxr-xr-x. 2 root root 4096 21. led 00.40 /etc/smrsh >>>> >>>> ls -ld /etc/mail >>>> drwxr-xr-x. 2 root root 4096 25. led 11.42 /etc/mail >>>> >>>> I think there isn't any reason to have SGID bits set on both these >>>> directories, on the contrary this may cause these problems when sendmail >>>> does any security checks. >>>> >>>> Franta Hanzlik >> Oh, I make mistake - when sendmail call LDA, it is done with recipient >> credentials. Thus, /usr/bin/dspam should be world runnable. >> >> Franta Hanzlik
I write small script to uncover alias program environment: #!/bin/bash echo "$UID, $EUID , $#." >>/tmp/testrun id >>/tmp/testrun cat >>/tmp/testrun printenv >>/tmp/testrun which is running from /etc/aliases: testrun: "|/usr/local/bin/testrun --user root --class=spam --source=error" And discover, that script is running as user mail (which is what define(`confDEF_USER_ID', ``8:12'') in sendmail.mc define (DefaultUser) - user mail (UID=8), group mail(GID=12) in my system). Then I'm only doubt about: - when You have "FEATURE(`smrsh', `/usr/sbin/smrsh')" defined in your sendmail.mc (with correct smrsh path). - which are smrsh permissions. Mine: ls -l /usr/sbin/smrsh -rwxr-xr-x. 1 root root 65656 14. zář 11.35 /usr/sbin/smrsh eventually, smrsh and dspam directories should not be world-writable. But in this case will be error message probably different. Franta Hanzlik ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Dspam-user mailing list Dspam-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspam-user
