sendmail upgrade problem? - Security

This is a discussion on sendmail upgrade problem? - Security ; After I upgraded to 8.13.6 I get an error when I use 'mail' to send mail or from a cron program. The error is: WARNING: RunAsUser for MSP ignored, check group ids (egid=500, want=51) can not chdir(/var/spool/clientmqueue/): Permission denied Program ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: sendmail upgrade problem?

  1. sendmail upgrade problem?

    After I upgraded to 8.13.6 I get an error when I use 'mail' to send mail
    or from a cron program. The error is:

    WARNING: RunAsUser for MSP ignored, check group ids (egid=500, want=51)
    can not chdir(/var/spool/clientmqueue/): Permission denied
    Program mode requires special privileges, e.g., root or TrustedUser.

    I looked at the submit.mc and I don't see a problem:

    divert(0)dnl
    VERSIONID(`$Id: submit.mc,v 8.13 2003/09/10 22:12:48 ca Exp $')
    define(`confCF_VERSION', `Submit')dnl
    define(`__OSTYPE__',`')dnl dirty hack to keep proto.m4 from complaining
    define(`_USE_DECNET_SYNTAX_', `1')dnl support DECnet
    define(`confTIME_ZONE', `USE_TZ')dnl
    define(`confDONT_INIT_GROUPS', `True')dnl
    define(`confPID_FILE', `/var/run/sm-client.pid')dnl
    define(`confDIRECT_SUBMISSION_MODIFIERS',`C')dnl
    FEATURE(`use_ct_file')dnl
    dnl
    dnl If you use IPv6 only, change [127.0.0.1] to [IPv6:::1]
    FEATURE(`msp', `[127.0.0.1]')dnl
    define(`confRUN_AS_USER', `smmsp:smmsp')dnl

    Any Ideas? I tried it with and without the confRUN_AS_USER with no success.

    This is a RedHat 9 box.

    --
    ----------------
    Barton L. Phillips
    Applied Technology Resources, Inc.
    Tel: (818)652-9850
    Web: http://www.applitec.com

  2. Re: sendmail upgrade problem?

    Barton L. Phillips wrote:
    > After I upgraded to 8.13.6 I get an error when I use 'mail' to send mail
    > or from a cron program. The error is:
    >
    > WARNING: RunAsUser for MSP ignored, check group ids (egid=500, want=51)
    > can not chdir(/var/spool/clientmqueue/): Permission denied
    > Program mode requires special privileges, e.g., root or TrustedUser.


    Check the perms on /var/spool/clientmqueue

    >
    > I looked at the submit.mc and I don't see a problem:
    >
    > divert(0)dnl
    > VERSIONID(`$Id: submit.mc,v 8.13 2003/09/10 22:12:48 ca Exp $')
    > define(`confCF_VERSION', `Submit')dnl
    > define(`__OSTYPE__',`')dnl dirty hack to keep proto.m4 from complaining
    > define(`_USE_DECNET_SYNTAX_', `1')dnl support DECnet
    > define(`confTIME_ZONE', `USE_TZ')dnl
    > define(`confDONT_INIT_GROUPS', `True')dnl
    > define(`confPID_FILE', `/var/run/sm-client.pid')dnl
    > define(`confDIRECT_SUBMISSION_MODIFIERS',`C')dnl
    > FEATURE(`use_ct_file')dnl
    > dnl
    > dnl If you use IPv6 only, change [127.0.0.1] to [IPv6:::1]
    > FEATURE(`msp', `[127.0.0.1]')dnl
    > define(`confRUN_AS_USER', `smmsp:smmsp')dnl
    >
    > Any Ideas? I tried it with and without the confRUN_AS_USER with no success.
    >
    > This is a RedHat 9 box.
    >


  3. Re: sendmail upgrade problem?

    base60 wrote:
    > Check the perms on /var/spool/clientmqueue

    They are set according to the sendmail install to
    drwxrwx--- 2 smmsp smmsp 28K Mar 30 15:52
    var/spool/clientmqueue/

    (should be all one line above)
    If I change this with chmod o+rw then I still get warning
    WARNING: RunAsUser for MSP ignored, check group ids (egid=500, want=51)
    but the mail is sent so there is still something amiss.

    --
    ----------------
    Barton L. Phillips
    Applied Technology Resources, Inc.
    Tel: (818)652-9850
    Web: http://www.applitec.com

  4. Re: sendmail upgrade problem?

    "Barton L. Phillips" wrote in message
    news:ll1Xf.64790$dW3.50221@newssvr21.news.prodigy. com

    >> Check the perms on /var/spool/clientmqueue

    > They are set according to the sendmail install to
    > drwxrwx--- 2 smmsp smmsp 28K Mar 30 15:52
    > var/spool/clientmqueue/
    >
    > (should be all one line above)
    > If I change this with chmod o+rw then I still get warning
    > WARNING: RunAsUser for MSP ignored, check group ids (egid=500,
    > want=51) but the mail is sent so there is still something amiss.


    It's telling you something, so best to investigate the lead:

    grep smmsp /etc/group /etc/passwd
    grep RunAsUser /etc/mail/sendmail.cf

  5. Re: sendmail upgrade problem?

    Barton L. Phillips wrote:
    > base60 wrote:
    >
    >> Check the perms on /var/spool/clientmqueue

    >
    > They are set according to the sendmail install to
    > drwxrwx--- 2 smmsp smmsp 28K Mar 30 15:52
    > var/spool/clientmqueue/


    The perms look OK... but that's what it's squealing about..

    >
    > (should be all one line above)
    > If I change this with chmod o+rw then I still get warning
    > WARNING: RunAsUser for MSP ignored, check group ids (egid=500, want=51)
    > but the mail is sent so there is still something amiss.
    >


    Bad idea. You probably want to remove.


  6. Re: sendmail upgrade problem?

    ynotssor wrote:
    > "Barton L. Phillips" wrote in message
    > news:ll1Xf.64790$dW3.50221@newssvr21.news.prodigy. com
    >
    >>> Check the perms on /var/spool/clientmqueue

    >> They are set according to the sendmail install to
    >> drwxrwx--- 2 smmsp smmsp 28K Mar 30 15:52
    >> var/spool/clientmqueue/
    >>
    >> (should be all one line above)
    >> If I change this with chmod o+rw then I still get warning
    >> WARNING: RunAsUser for MSP ignored, check group ids (egid=500,
    >> want=51) but the mail is sent so there is still something amiss.

    >
    > It's telling you something, so best to investigate the lead:
    >
    > grep smmsp /etc/group /etc/passwd
    > grep RunAsUser /etc/mail/sendmail.cf

    grep smmsp /etc/passwd /etc/group
    /etc/passwd:smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
    /etc/group:smmsp:x:51:

    grep RunAsUser /etc/mail/sendmail.cf
    #O RunAsUser=sendmail
    grep RunAsUser /etc/mail/submit.cf
    O RunAsUser=smmsp:smmsp

    I think the smmsp account is correct. Isn't it the submit.cf that I am
    interested in here? The RunAsUser is correct I think in submit.cf. Do I
    need to set it in sendmail.cf? I didn't think I had to there.

    I have changed the permissions back and removed the o+rw. I would rather
    fix the real problem rather than screw up my privileges.

    --
    ----------------
    Barton L. Phillips
    Applied Technology Resources, Inc.
    Tel: (818)652-9850
    Web: http://www.applitec.com

  7. Re: sendmail upgrade problem?

    base60 wrote:
    > Barton L. Phillips wrote:
    >> base60 wrote:
    >>
    >>> Check the perms on /var/spool/clientmqueue

    >>
    >> They are set according to the sendmail install to
    >> drwxrwx--- 2 smmsp smmsp 28K Mar 30 15:52
    >> var/spool/clientmqueue/

    >
    > The perms look OK... but that's what it's squealing about..
    >
    >>
    >> (should be all one line above)
    >> If I change this with chmod o+rw then I still get warning
    >> WARNING: RunAsUser for MSP ignored, check group ids (egid=500, want=51)
    >> but the mail is sent so there is still something amiss.
    >>

    >
    > Bad idea. You probably want to remove.
    >

    Yes it was just an experiment, I have returned them to drwxrwx---. I
    want to fix the problem not screw up privileges to kinda work.

    --
    ----------------
    Barton L. Phillips
    Applied Technology Resources, Inc.
    Tel: (818)652-9850
    Web: http://www.applitec.com

  8. Re: sendmail upgrade problem?

    "Barton L. Phillips" wrote in message
    newsDeXf.7256$4L1.277@newssvr11.news.prodigy.com

    > grep smmsp /etc/passwd /etc/group
    > /etc/passwd:smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
    > /etc/group:smmsp:x:51:
    >
    > grep RunAsUser /etc/mail/sendmail.cf
    > #O RunAsUser=sendmail
    > grep RunAsUser /etc/mail/submit.cf
    > O RunAsUser=smmsp:smmsp
    >
    > I think the smmsp account is correct. Isn't it the submit.cf that I am
    > interested in here? The RunAsUser is correct I think in submit.cf. Do
    > I need to set it in sendmail.cf? I didn't think I had to there.
    >
    > I have changed the permissions back and removed the o+rw. I would
    > rather fix the real problem rather than screw up my privileges.


    It would be worth a careful examination of ${SOURCE}/sendmail/SECURITY,
    especially the recommended perms :

    --- begin quote ---
    -r-xr-sr-x root smmsp ... /PATH/TO/sendmail
    drwxrwx--- smmsp smmsp ... /var/spool/clientmqueue
    drwx------ root wheel ... /var/spool/mqueue
    -r--r--r-- root wheel ... /etc/mail/sendmail.cf
    -r--r--r-- root wheel ... /etc/mail/submit.cf

    [Notice: On some OS "wheel" is not used but "bin" or "root" instead,
    however, this is not important here.]

    That is, the owner of sendmail is root, the group is smmsp, and the binary
    is set-group-ID. The client mail queue is owned by smmsp with group smmsp
    and is group writable. The client mail queue directory must be writable by
    smmsp, but it must not be accessible for others. That is, do not use world
    read or execute permissions. In submit.cf the option UseMSP must be set,
    and QueueFileMode must be set to 0660.
    --- end quote ---

    Options should be set in *.mc of course, and the *.cf files rebuilt from
    them.


  9. Re: sendmail upgrade problem?

    ynotssor wrote:
    > --- begin quote ---
    > -r-xr-sr-x root smmsp ... /PATH/TO/sendmail
    > drwxrwx--- smmsp smmsp ... /var/spool/clientmqueue
    > drwx------ root wheel ... /var/spool/mqueue
    > -r--r--r-- root wheel ... /etc/mail/sendmail.cf
    > -r--r--r-- root wheel ... /etc/mail/submit.cf
    >
    > [Notice: On some OS "wheel" is not used but "bin" or "root" instead,
    > however, this is not important here.]
    >
    > That is, the owner of sendmail is root, the group is smmsp, and the binary
    > is set-group-ID. The client mail queue is owned by smmsp with group smmsp
    > and is group writable. The client mail queue directory must be writable by
    > smmsp, but it must not be accessible for others. That is, do not use world
    > read or execute permissions. In submit.cf the option UseMSP must be set,
    > and QueueFileMode must be set to 0660.
    > --- end quote ---
    >
    > Options should be set in *.mc of course, and the *.cf files rebuilt from
    > them.
    >

    Thanks!
    On my system the paths look like this:
    /usr/sbin/sendmail -> /etc/alternatives/mta
    /etc/alternatives/mta -> /usr/sbin/sendmail.sendmail

    I saved the original sendmail.sendmail as sendmail.sendmail.old and yes
    it has the set group while the new one I moved in does not. When I do
    chmod g+s /usr/sbin/sendmail.sendmail
    I no longer get an error and everything works OK.

    Thanks again it would have been a long time before I figured this out.

    --
    ----------------
    Barton L. Phillips
    Applied Technology Resources, Inc.
    Tel: (818)652-9850
    Web: http://www.applitec.com

+ Reply to Thread