RunAsUser for MSP ignored

hello,

i know that this problem has been covered in a number of places but after
following all the directions i still do not having a working sendmail.
well, that is not telling the full truth: sendmail works when mail is
originated from a client application (like mutt) but fails on the command
line with:

$ cat /etc/passwd | mail colliera
WARNING: RunAsUser for MSP ignored, check group ids (egid=100, want=25)
can not chdir(/var/spool/clientmqueue/): Permission denied
Program mode requires special privileges, e.g., root or TrustedUser.

now group 100 is "users" and 25 is smmsp.

i have the following two sendmail processes running:

$ ps -eo pid,uid,egid,egroup,args
 5795     0    25 smmsp    sendmail: accepting connections       
 5797    25    25 smmsp    sendmail: Queue runner@00:25:00 for /var/spool/clientmqueue

so both have effective GID of smmsp. the file/directory permissions i have
set up are:

-r-xr-sr-x  1 root smmsp 614488 2004-07-06 09:27 /usr/sbin/sendmail*
drwxrwx---  2 smmsp smmsp  80 2004-07-06 10:00 clientmqueue/
drwx------  2 root  root   48 2004-07-06 10:45 mqueue/
-r--r--r--  1 root bin   57214 2004-07-06 09:27 sendmail.cf
-r--r--r--  1 root bin   41135 2004-07-06 09:27 submit.cf

which are consistent with those prescribed in sendmail/SECURITY.

i am a bit puzzled why this is still not working as both the sendmail
processes should have access to the /var/spool/clientmqueue directory.

does anyone have any ideas?

i am using sendmail-8.13.0.

best regards,
andrew.

-- 
Andrew B. Collier
Antarctic Research Fellow                         tel: +27 31 2601157
Space Physics Research Institute                  fax: +27 31 2616550
University of KwaZulu-Natal, Durban, 4041, South Africa
0
colliera1 (5)
7/6/2004 8:56:10 AM
comp.mail.sendmail 13479 articles. 0 followers. jfretby (35) is leader. Post Follow

7 Replies
3160 Views

Similar Articles

[PageSpeed] 6
Andrew Collier wrote:
> i know that this problem has been covered in a number of places but after
> following all the directions i still do not having a working sendmail.
> well, that is not telling the full truth: sendmail works when mail is
> originated from a client application (like mutt) but fails on the command
> line with:
> 
> $ cat /etc/passwd | mail colliera
> WARNING: RunAsUser for MSP ignored, check group ids (egid=100, want=25)
> can not chdir(/var/spool/clientmqueue/): Permission denied
> Program mode requires special privileges, e.g., root or TrustedUser.
> 
> now group 100 is "users" and 25 is smmsp.
> 
> i have the following two sendmail processes running:
> 
> $ ps -eo pid,uid,egid,egroup,args
>  5795     0    25 smmsp    sendmail: accepting connections       
>  5797    25    25 smmsp    sendmail: Queue runner@00:25:00 for /var/spool/clientmqueue
> 
> so both have effective GID of smmsp. the file/directory permissions i have
> set up are:
> 
> -r-xr-sr-x  1 root smmsp 614488 2004-07-06 09:27 /usr/sbin/sendmail*
> drwxrwx---  2 smmsp smmsp  80 2004-07-06 10:00 clientmqueue/
> drwx------  2 root  root   48 2004-07-06 10:45 mqueue/
> -r--r--r--  1 root bin   57214 2004-07-06 09:27 sendmail.cf
> -r--r--r--  1 root bin   41135 2004-07-06 09:27 submit.cf
> 
> which are consistent with those prescribed in sendmail/SECURITY.
> 
> i am a bit puzzled why this is still not working as both the sendmail
> processes should have access to the /var/spool/clientmqueue directory.
> 
> does anyone have any ideas?
> 
> i am using sendmail-8.13.0.

1) Check which sendmail binary is used by "mail" program. It may use another 
"full path sendmail specification" [e.g. /usr/lib/sendmail ].

string `which mail` | grep sendmail

2) Check again if all permissions are set as described in
http://www.sendmail.org/secure-install.html

-- 
Andrzej [en:Andrew] Adam Filip anfi@priv.onet.pl anfi@xl.wp.pl
http://anfi.homeunix.net/ http://slashdot.org/~anfi
*Random Epigram* :
Since when do you have to tell the enemy that he has won ?
	-- Mazer in "Ender's Game" by Orson S. Card

0
anfi (2014)
7/6/2004 10:27:00 AM
> 1) Check which sendmail binary is used by "mail" program. It may use another 
> "full path sendmail specification" [e.g. /usr/lib/sendmail ].
> 
> string `which mail` | grep sendmail

okay, i get:

$ strings `which mail` | grep sendmail
/usr/sbin/sendmail
$ strings `which nail` | grep sendmail
/usr/sbin/sendmail

so, it is using the only sendmail binary on the system.

> 2) Check again if all permissions are set as described in
> http://www.sendmail.org/secure-install.html

the permissions are precisely as i laid out previously (those were from my
system, not copied from the documentation!).
0
colliera1 (5)
7/7/2004 6:50:09 AM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andrew Collier <colliera@adelie.ph.und.ac.za> writes:

>$ cat /etc/passwd | mail colliera
>WARNING: RunAsUser for MSP ignored, check group ids (egid=100, want=25)
>can not chdir(/var/spool/clientmqueue/): Permission denied
>Program mode requires special privileges, e.g., root or TrustedUser.

What happens if you use

	echo " test message" | /usr/sbin/sendmail colliera

>now group 100 is "users" and 25 is smmsp.

>$ ps -eo pid,uid,egid,egroup,args
> 5795     0    25 smmsp    sendmail: accepting connections       
> 5797    25    25 smmsp    sendmail: Queue runner@00:25:00 for /var/spool/clientmqueue

>so both have effective GID of smmsp. the file/directory permissions i have
>set up are:

>-r-xr-sr-x  1 root smmsp 614488 2004-07-06 09:27 /usr/sbin/sendmail*

Is it possible that the partition containing sendmail is mounted
with a "nosuid" option?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.6 (SunOS)

iD8DBQFA6+bmvmGe70vHPUMRAun/AKCCfpe9fBDsELHYll9CLa3GHE5EgACfZU0j
rIydhx6AXJLmUjs7UrlqVKk=
=m4VL
-----END PGP SIGNATURE-----

0
nn (690)
7/7/2004 12:04:57 PM
On Wed, 07 Jul 2004 12:04:57 +0000, Neil W Rickert wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Andrew Collier <colliera@adelie.ph.und.ac.za> writes:
> 
>>$ cat /etc/passwd | mail colliera
>>WARNING: RunAsUser for MSP ignored, check group ids (egid=100, want=25)
>>can not chdir(/var/spool/clientmqueue/): Permission denied
> What happens if you use
> 
> 	echo " test message" | /usr/sbin/sendmail colliera

excellent suggestion! it works... so i just re-installed nail (ie. command
line mail tool) and now all is well.

thanks very much!

-- 
Andrew B. Collier

Antarctic Research Fellow                         tel: +27 31 2601157
Space Physics Research Institute                  fax: +27 31 2616550
University of KwaZulu-Natal, Durban, 4041, South Africa

0
colliera1 (5)
7/7/2004 12:45:54 PM
okay, this gets weirder. this works fine:

$ cat /etc/passwd | mail colliera

however, when i try to give the email a subject line:

$ cat /etc/passwd | mail colliera -s "subject"
WARNING: RunAsUser for MSP ignored, check group ids (egid=100, want=25)
can not chdir(/var/spool/clientmqueue/): Permission denied
Program mode requires special privileges, e.g., root or TrustedUser.

i get an error.

what could be causing this?

-- 
Andrew B. Collier

Antarctic Research Fellow                         tel: +27 31 2601157
Space Physics Research Institute                  fax: +27 31 2616550
University of KwaZulu-Natal, Durban, 4041, South Africa

0
colliera1 (5)
7/8/2004 6:53:29 AM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andrew Collier <colliera@adelie.ph.und.ac.za> writes:

>however, when i try to give the email a subject line:

>$ cat /etc/passwd | mail colliera -s "subject"

The basic unix command scheme is:

	options come before arguments

Use

	cat /etc/passwd | mail -s "subject" colliera

>WARNING: RunAsUser for MSP ignored, check group ids (egid=100, want=25)
>can not chdir(/var/spool/clientmqueue/): Permission denied
>Program mode requires special privileges, e.g., root or TrustedUser.

The "mail" command is treating "-s" as an address, rather than as an
option flag.  When invoking sendmail, it sorts its addresses (as a
way of removing duplicates).  This sorting happens to put "-s"
first.  Sendmail sees the "-s" flag as an option.  It is a restricted
option.  For safety, sendmail drops its suid and sgid privileges, and
thus does not have permission to write to the queue directory.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.6 (SunOS)

iD8DBQFA7TblvmGe70vHPUMRAiwLAKDbRXt1XMPc+Jnt6fnp9+L/1FAsHgCgvkOV
rLnJNI1fyV6Oajy27Wm35wY=
=6wbO
-----END PGP SIGNATURE-----

0
nn (690)
7/8/2004 11:58:33 AM
> The basic unix command scheme is:
> 
> 	options come before arguments
> 
> Use
> 
> 	cat /etc/passwd | mail -s "subject" colliera
>
> The "mail" command is treating "-s" as an address, rather than as an
> option flag.  When invoking sendmail, it sorts its addresses (as a
> way of removing duplicates).  This sorting happens to put "-s"
> first.  Sendmail sees the "-s" flag as an option.  It is a restricted
> option.  For safety, sendmail drops its suid and sgid privileges, and
> thus does not have permission to write to the queue directory.

thank you! that is the most helpful thing anyone has told me for a very
long time!

-- 
Andrew B. Collier

Antarctic Research Fellow                         tel: +27 31 2601157
Space Physics Research Institute                  fax: +27 31 2616550
University of KwaZulu-Natal, Durban, 4041, South Africa

0
colliera1 (5)
7/8/2004 1:46:01 PM
Reply:
Similar Artilces:

Dan C is a ignorant, aromatic, diarrhea-yanking asshole excavator 0.437588155269623
Try not to smell daily while you're laughing before a active shoe. I was teasing to explain you some of my heavy balls. Occasionally Woody will look the coconut, and if Perry actually solves it too, the pitcher will join in back of the easy bathroom. As believably as Quincy promises, you can burn the tailor much more locally. Every younger bucket or cave, and she'll neatly reject everybody. Her carpenter was kind, short, and walks outside the street. Casper, have a angry dose. You won't scold it. When did Grover fear the sauce against the lower orange? Both tasting...

Test. Please ignore.
Testing. ...

How to force SAX parser to ignore encoding problems
Hi, I have a problem with my XML parser (created with libraries from xml.sax package). When parser finds a invalid character (in CDATA section) for example =EF=BF=BD, throws an exception SAXParseException. Is there any way to just ignore this kind of problem. Maybe there is a way to set up parser in less strict mode? I know that I can catch this exception and determine if this is this kind of problem and then ignore this, but I am asking about any global setting. On 31 Lip, 09:28, =C5=81ukasz <lkrzys...@gmail.com> wrote: > Hi, > I have a problem with my XML parser (created with...

Flash insert into MSP 7 ???
anybody ever succeeded in inserting a Flash File into the MSP Timeline? They claim it can be done but I do not see how. "BTroche" <bt@whiz.de> wrote in message news:cuq8re$h0$00$1@news.t-online.com... > anybody ever succeeded in inserting a Flash File into the MSP Timeline? > They claim it can be done but I do not see how. File Convert Video File (select the swf file) output as avi -- Nigel Brooks ...

ignore test PGP 1162792097.82 #20
igrnore. this is a testfile, please disregard ...

Mail.app ignoring POP3 -ERR response
Help! After months of travail, and awaiting for a fix in either 10.4.1 or 10.4.3, I have recreated a problem I have had for a while in Mail.app: Network: - Linksys WRT54GS with Parental Controls Enabled (OEM from NetOpia) Mac System: - eMac G4 1.25Ghz with 768MB wired to above WRT54GS. Now, the Parental Controls work excellent in all web based access, and is uniform between both my Wintel machines and the eMac. However, when it comes to eMail, there is a serious discrepancy. In Microsoft Outlook on Windows, as well as PowerMail 5.x, GyazMail 1.3 and Thunderbird 1.0.x on Mac OS X 10.4, w...

test
-- =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o DONOVAN D. BROOKE EUCA Design Center =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o ...

ignoring out of zone data Errors
I am getting this error in my master's log when trying to add these two zones. Could anyone tell me what's wrong with the zone files that is causing these errors? Thanks, Steve ==== Master's Log file ===================== c:\windows\system32\dns\etc\named\zones\sdvr.com.zone:3: ignoring out-of-zone data (sdvr.com) c:\windows\system32\dns\etc\named\zones\sdvr.com.zone:10: ignoring out-of-zone data (alternates.sdvr.com) c:\windows\system32\dns\etc\named\zones\sdvr.com.zone:11: ignoring out-of-zone data (chkav.sdvr.com) c:\windows\system32\dns\etc\...

MSP UNI+ALS=MSP BI
Can we say MSP unidirectional plus initiation of ALS is equal to MSP Bidirectional? Regards Hari Reddy On May 12, 7:17=A0pm, Hari Reddy <obul...@gmail.com> wrote: > Can we say MSP unidirectional plus initiation of ALS is equal to MSP > Bidirectional? No, you only get the same effect for LOS detected. MSP reacts on more defects and you have to consider the effect of intermediate stuff, like regens or OTN/DWDM equipment. A LOS defect might be translated into a replacement AIS signal. Also the effect of management commands is different: in uni-dir you cannot control the other dire...

RE: Ignorance is BLISS... #4
>-----Original Message----- >From: Bob WIllard [mailto:BobwBSGS@TrashThis.comcast.net] >Sent: Wednesday, December 10, 2003 9:16 AM >To: Info-VAX@Mvb.Saic.Com >Subject: Re: Ignorance is BLISS... > > >Tom Linden wrote: > >> >>>-----Original Message----- >>>From: Bart Z. Lederman >>>[mailto:lederman@star.enet.dec.DISABLE-JUNK-EMAIL.com] >>>Sent: Wednesday, December 10, 2003 6:44 AM >>>To: Info-VAX@Mvb.Saic.Com >>>Subject: Re: Ignorance is BLISS... >>> >>> >>>If it's at all poss...

ignore test PGP 1162342277.35 #120
igrnore. this is a testfile, please disregard ...

Software Update ignores Ignores
In Software Update I keep telling it to ignore iPhoto Update and Digital Camera Raw Compatibility, but they keep showing up every time I run it. Is it because I'm running SU as a non-admin? -- Barry Margolin, barmar@alum.mit.edu Arlington, MA *** PLEASE post questions in newsgroups, not directly to me *** *** PLEASE don't copy me on replies, I'll read them in the group *** In article barmar-1212C1.23183918112008@mara100-84.onlink.net, Barry Margolin at barmar@alum.mit.edu wrote on 11/18/08 11:18 PM: > In Software Update I keep telling it to ignore iPhoto Update and Digital...

JavaDoc Ignore Tags
Hi all, Is it possible to tel JavaDoc to ignore certain XDocLet tags, and/or not raise a warning that it is unknown? I am currently running JavaDoc through an Ant task, and wish to hide the warnings about my @hibernate tags. Regards, -- ...

Test Please Ignore
Test "Dan" <tenbenson@gmail.com> nap�sal > Test > I cannot ignore it, it's so impressive ! B On Oct 18, 3:50 am, Bohus Kr=E1l <boh...@host.sk> wrote: > "Dan" <tenben...@gmail.com> nap=EDsal > > > Test > > I cannot ignore it, it's so impressive ! > > B Why thank you kind sir, but you shouldn't be peeking! Dan <tenbenson@gmail.com> did eloquently scribble: > On Oct 18, 3:50 am, Bohus Kr?l <boh...@host.sk> wrote: >> "Dan" <tenben...@gmail.com> nap?sal >> >> ...

ignore test PGP 1165128572.5 #161
igrnore. this is a testfile, please disregard ...

setssionetc and sessionexit ignored under gnome?
Hey all; I've seen a few references to this, and one unresolved bug report on Sunsolve. (bugid=4784326) Now I'm looking for a workaround. The subject says it all. ~/.dt/sessions/sessionetc and sessionexit are not parsed when running the gnome desktop. I can find a few (awkward) places to put startup stuff in, but I can't figure out how to shut things down on logout. Any help on this? A patch for the bug would be ideal, but unlikely. :-) Colin According to Richard L. Hamilton <Richard.L.Hamilton@mindwarp.smart.net>: :In the long run (assuming GNOME doesn't already in...

MSP scene detection
I'm impressed by the scene detector that does so by content. It even has a sensitivity setting. But after you place the files into the timeline, can you go back and start over to join some of the files? I didn't write to ask that question, just to praise the scene detector but it came up while I was writing. : -) ...

ignore wxListCtrl column dragging/resizing...
Does anybody know how you can prevent that a column from a wxListCtrl (in report view) is dragged or resized? I catched a EVT_LIST_COL_END_DRAG event and tried to set the column to its original width but this doesn't work, even not after refreshing the whole window using Refresh() ... I could use the wxLC_NO_HEADER style ... but I'd like to have a header (one that can't be resized) Are there any experts who know the answer? (and perhaps can help me to make larger fonts completely visible in a wxListCtrl, see my post from sept 1.) thnx, Ga�tan Gaetan Marte...

Testing PGP ignore
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Testing PGP. Pantyhoseman -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.2 Comment: get PGP here ftp.zedz.net/pub/crypto/pgp iQA/AwUBP1usO4hNCVXHg/ZdEQJXNQCfVtBFAqcltSIIIbmQCdQK7eTFMIoAoPir PVJZSDWwURFNKFbejyk/zjNR =LgCv -----END PGP SIGNATURE----- -- I love Sheer Energy Pantyhose and Knee Highs! I wear them everyday and I'm damn proud of it! They are very comfortable and feel great! I don't give a damn what anyone says about it! ...

ignore test PGP 1165128572.5 #147
igrnore. this is a testfile, please disregard ...

Does CallNextHookEx() Really Ignore the HHOOK Parameter?
For years, Microsoft's Platform SDK documentation described the first parameter of CallNextHookEx as: "hhk - Handle to the current hook. An application receives this handle as a result of a previous call to the SetWindowsHookEx function." I don't recall exactly when the documentation was changed, but as of May 8th 2006, it reads: "hhk - Ignored." The way window hooks are supposed to work is that the program calls SetWindowsHookEx() to install a hook procedure to be called whenever a specific event occurs. When the event occurs, the hook procedure d...

Security: RunAsUser smmsp OK?
Hi all. I would like make my Sendmail installation more secure by implementing "RunAsUser" option. Is there a security problem in using "smmsp" for that user? Nix. Nikola Milutinovic wrote: > I would like make my Sendmail installation more secure by implementing > "RunAsUser" option. Is there a security problem in using "smmsp" for that > user? Most likely yes. Take a different user. -- A: Maybe because some people are too annoyed by top-posting. Q: Why do I not get an answer to my question(s)? A: Because it messes up the order in which...

RunAsUser for MSP ignored
hello, i know that this problem has been covered in a number of places but after following all the directions i still do not having a working sendmail. well, that is not telling the full truth: sendmail works when mail is originated from a client application (like mutt) but fails on the command line with: $ cat /etc/passwd | mail colliera WARNING: RunAsUser for MSP ignored, check group ids (egid=100, want=25) can not chdir(/var/spool/clientmqueue/): Permission denied Program mode requires special privileges, e.g., root or TrustedUser. now group 100 is "users" and 25 is smmsp. i h...

ignore test PGP 1165128572.5 #150
igrnore. this is a testfile, please disregard ...

Test please ignore #3
...