RunAsUser for MSP ignored

  • Permalink
  • submit to reddit
  • Email
  • Follow


hello,

i know that this problem has been covered in a number of places but after
following all the directions i still do not having a working sendmail.
well, that is not telling the full truth: sendmail works when mail is
originated from a client application (like mutt) but fails on the command
line with:

$ cat /etc/passwd | mail colliera
WARNING: RunAsUser for MSP ignored, check group ids (egid=100, want=25)
can not chdir(/var/spool/clientmqueue/): Permission denied
Program mode requires special privileges, e.g., root or TrustedUser.

now group 100 is "users" and 25 is smmsp.

i have the following two sendmail processes running:

$ ps -eo pid,uid,egid,egroup,args
 5795     0    25 smmsp    sendmail: accepting connections       
 5797    25    25 smmsp    sendmail: Queue runner@00:25:00 for /var/spool/clientmqueue

so both have effective GID of smmsp. the file/directory permissions i have
set up are:

-r-xr-sr-x  1 root smmsp 614488 2004-07-06 09:27 /usr/sbin/sendmail*
drwxrwx---  2 smmsp smmsp  80 2004-07-06 10:00 clientmqueue/
drwx------  2 root  root   48 2004-07-06 10:45 mqueue/
-r--r--r--  1 root bin   57214 2004-07-06 09:27 sendmail.cf
-r--r--r--  1 root bin   41135 2004-07-06 09:27 submit.cf

which are consistent with those prescribed in sendmail/SECURITY.

i am a bit puzzled why this is still not working as both the sendmail
processes should have access to the /var/spool/clientmqueue directory.

does anyone have any ideas?

i am using sendmail-8.13.0.

best regards,
andrew.

-- 
Andrew B. Collier
Antarctic Research Fellow                         tel: +27 31 2601157
Space Physics Research Institute                  fax: +27 31 2616550
University of KwaZulu-Natal, Durban, 4041, South Africa
0
Reply colliera1 (5) 7/6/2004 8:56:10 AM

See related articles to this posting


Andrew Collier wrote:
> i know that this problem has been covered in a number of places but after
> following all the directions i still do not having a working sendmail.
> well, that is not telling the full truth: sendmail works when mail is
> originated from a client application (like mutt) but fails on the command
> line with:
> 
> $ cat /etc/passwd | mail colliera
> WARNING: RunAsUser for MSP ignored, check group ids (egid=100, want=25)
> can not chdir(/var/spool/clientmqueue/): Permission denied
> Program mode requires special privileges, e.g., root or TrustedUser.
> 
> now group 100 is "users" and 25 is smmsp.
> 
> i have the following two sendmail processes running:
> 
> $ ps -eo pid,uid,egid,egroup,args
>  5795     0    25 smmsp    sendmail: accepting connections       
>  5797    25    25 smmsp    sendmail: Queue runner@00:25:00 for /var/spool/clientmqueue
> 
> so both have effective GID of smmsp. the file/directory permissions i have
> set up are:
> 
> -r-xr-sr-x  1 root smmsp 614488 2004-07-06 09:27 /usr/sbin/sendmail*
> drwxrwx---  2 smmsp smmsp  80 2004-07-06 10:00 clientmqueue/
> drwx------  2 root  root   48 2004-07-06 10:45 mqueue/
> -r--r--r--  1 root bin   57214 2004-07-06 09:27 sendmail.cf
> -r--r--r--  1 root bin   41135 2004-07-06 09:27 submit.cf
> 
> which are consistent with those prescribed in sendmail/SECURITY.
> 
> i am a bit puzzled why this is still not working as both the sendmail
> processes should have access to the /var/spool/clientmqueue directory.
> 
> does anyone have any ideas?
> 
> i am using sendmail-8.13.0.

1) Check which sendmail binary is used by "mail" program. It may use another 
"full path sendmail specification" [e.g. /usr/lib/sendmail ].

string `which mail` | grep sendmail

2) Check again if all permissions are set as described in
http://www.sendmail.org/secure-install.html

-- 
Andrzej [en:Andrew] Adam Filip anfi@priv.onet.pl anfi@xl.wp.pl
http://anfi.homeunix.net/ http://slashdot.org/~anfi
*Random Epigram* :
Since when do you have to tell the enemy that he has won ?
	-- Mazer in "Ender's Game" by Orson S. Card

0
Reply anfi (2014) 7/6/2004 10:27:00 AM

> 1) Check which sendmail binary is used by "mail" program. It may use another 
> "full path sendmail specification" [e.g. /usr/lib/sendmail ].
> 
> string `which mail` | grep sendmail

okay, i get:

$ strings `which mail` | grep sendmail
/usr/sbin/sendmail
$ strings `which nail` | grep sendmail
/usr/sbin/sendmail

so, it is using the only sendmail binary on the system.

> 2) Check again if all permissions are set as described in
> http://www.sendmail.org/secure-install.html

the permissions are precisely as i laid out previously (those were from my
system, not copied from the documentation!).
0
Reply colliera1 (5) 7/7/2004 6:50:09 AM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andrew Collier <colliera@adelie.ph.und.ac.za> writes:

>$ cat /etc/passwd | mail colliera
>WARNING: RunAsUser for MSP ignored, check group ids (egid=100, want=25)
>can not chdir(/var/spool/clientmqueue/): Permission denied
>Program mode requires special privileges, e.g., root or TrustedUser.

What happens if you use

	echo " test message" | /usr/sbin/sendmail colliera

>now group 100 is "users" and 25 is smmsp.

>$ ps -eo pid,uid,egid,egroup,args
> 5795     0    25 smmsp    sendmail: accepting connections       
> 5797    25    25 smmsp    sendmail: Queue runner@00:25:00 for /var/spool/clientmqueue

>so both have effective GID of smmsp. the file/directory permissions i have
>set up are:

>-r-xr-sr-x  1 root smmsp 614488 2004-07-06 09:27 /usr/sbin/sendmail*

Is it possible that the partition containing sendmail is mounted
with a "nosuid" option?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.6 (SunOS)

iD8DBQFA6+bmvmGe70vHPUMRAun/AKCCfpe9fBDsELHYll9CLa3GHE5EgACfZU0j
rIydhx6AXJLmUjs7UrlqVKk=
=m4VL
-----END PGP SIGNATURE-----

0
Reply nn (690) 7/7/2004 12:04:57 PM

On Wed, 07 Jul 2004 12:04:57 +0000, Neil W Rickert wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Andrew Collier <colliera@adelie.ph.und.ac.za> writes:
> 
>>$ cat /etc/passwd | mail colliera
>>WARNING: RunAsUser for MSP ignored, check group ids (egid=100, want=25)
>>can not chdir(/var/spool/clientmqueue/): Permission denied
> What happens if you use
> 
> 	echo " test message" | /usr/sbin/sendmail colliera

excellent suggestion! it works... so i just re-installed nail (ie. command
line mail tool) and now all is well.

thanks very much!

-- 
Andrew B. Collier

Antarctic Research Fellow                         tel: +27 31 2601157
Space Physics Research Institute                  fax: +27 31 2616550
University of KwaZulu-Natal, Durban, 4041, South Africa

0
Reply colliera1 (5) 7/7/2004 12:45:54 PM

okay, this gets weirder. this works fine:

$ cat /etc/passwd | mail colliera

however, when i try to give the email a subject line:

$ cat /etc/passwd | mail colliera -s "subject"
WARNING: RunAsUser for MSP ignored, check group ids (egid=100, want=25)
can not chdir(/var/spool/clientmqueue/): Permission denied
Program mode requires special privileges, e.g., root or TrustedUser.

i get an error.

what could be causing this?

-- 
Andrew B. Collier

Antarctic Research Fellow                         tel: +27 31 2601157
Space Physics Research Institute                  fax: +27 31 2616550
University of KwaZulu-Natal, Durban, 4041, South Africa

0
Reply colliera1 (5) 7/8/2004 6:53:29 AM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andrew Collier <colliera@adelie.ph.und.ac.za> writes:

>however, when i try to give the email a subject line:

>$ cat /etc/passwd | mail colliera -s "subject"

The basic unix command scheme is:

	options come before arguments

Use

	cat /etc/passwd | mail -s "subject" colliera

>WARNING: RunAsUser for MSP ignored, check group ids (egid=100, want=25)
>can not chdir(/var/spool/clientmqueue/): Permission denied
>Program mode requires special privileges, e.g., root or TrustedUser.

The "mail" command is treating "-s" as an address, rather than as an
option flag.  When invoking sendmail, it sorts its addresses (as a
way of removing duplicates).  This sorting happens to put "-s"
first.  Sendmail sees the "-s" flag as an option.  It is a restricted
option.  For safety, sendmail drops its suid and sgid privileges, and
thus does not have permission to write to the queue directory.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.6 (SunOS)

iD8DBQFA7TblvmGe70vHPUMRAiwLAKDbRXt1XMPc+Jnt6fnp9+L/1FAsHgCgvkOV
rLnJNI1fyV6Oajy27Wm35wY=
=6wbO
-----END PGP SIGNATURE-----

0
Reply nn (690) 7/8/2004 11:58:33 AM

> The basic unix command scheme is:
> 
> 	options come before arguments
> 
> Use
> 
> 	cat /etc/passwd | mail -s "subject" colliera
>
> The "mail" command is treating "-s" as an address, rather than as an
> option flag.  When invoking sendmail, it sorts its addresses (as a
> way of removing duplicates).  This sorting happens to put "-s"
> first.  Sendmail sees the "-s" flag as an option.  It is a restricted
> option.  For safety, sendmail drops its suid and sgid privileges, and
> thus does not have permission to write to the queue directory.

thank you! that is the most helpful thing anyone has told me for a very
long time!

-- 
Andrew B. Collier

Antarctic Research Fellow                         tel: +27 31 2601157
Space Physics Research Institute                  fax: +27 31 2616550
University of KwaZulu-Natal, Durban, 4041, South Africa

0
Reply colliera1 (5) 7/8/2004 1:46:01 PM
comp.mail.sendmail 13424 articles. 2 followers. Post

7 Replies
2109 Views

Similar Articles

[PageSpeed] 25


  • Permalink
  • submit to reddit
  • Email
  • Follow


Reply:

Similar Artilces:

RunAsGid for MSP ignored
OK, so I'm back with my php / sendmail problems. I have a php script that send mails but I can't make it work. I realized that I cannot even send mail as a regular user using sendmail and this is the bottom of my problem (since my php script sends mail as user "www): $ sendmail WARNING: RunAsGid for MSP ignored, check group ids (egid=1001, want=25) can not chdir(/var/spool/clientmqueue/): Permission denied Program mode requires special privileges, e.g., root or TrustedUser. So, I put the user 1001 in the ssmsp group and now I get this: $ sendmail WARNING: RunAsGid for MSP ignore...

WARNING: RunAsGid for MSP ignored, check group ids
Any help would be great! I'm pretty lost at this point..... (Bugzilla, running as user 'bugs', returns this) error when trying to send mail: WARNING: RunAsGid for MSP ignored, check group ids (egid=501, want=12) ----------- [root@bugs bugs]# ls -l /var/spool/ drwx------ 3 daemon daemon 4096 Jul 3 06:48 at/ drwxrwxrwx 2 mail mail 77824 Sep 15 13:04 clientmqueue/ drwx------ 2 root root 4096 Feb 13 2003 cron/ drwx--x--- 3 root sys 4096 Jul 3 06:43 cups/ drwxr-xr-x 2 root daemon 4096 Jun 1 2000 lpd/ drwxrwsr...

RunAsGid for MSP ignored, check group ids (egid=501, want=51)
Hi, When I attempt to send mail I get. WARNING: RunAsGid for MSP ignored, check group ids (egid=501, want=51) can not chdir(/var/spool/clientmqueue/): Permission denied Program mode requires special privileges, e.g., root or TrustedUser. Giving clientmqueue more privilages makes it work again but I know is not a good idea. grep smmsp /etc/passwd /etc/group gives /etc/passwd:smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin /etc/group:smmsp:x:51: and privileges are drwxrwx--- 2 smmsp smmsp 1499136 May 25 16:11 /var/spool/clientmqueue drwx------ 2 root mail 221184 May 25...

WARNING: RunAsGid for MSP ignored, check group ids (egid=0, want=25)
I am having issue with sendmail. This is what I saw as error mesg. WARNING: RunAsGid for MSP ignored, check group ids (egid=0, want=25) ============================== it's a solaris 8 host. the /etc/mail/submit.cf looks like this: O RunAsUser=smmsp O TrustedUser=smmsp /etc/passwd has the smmsp user: smmsp:x:25:25::/:/sbin/noshel ============================ Could someone tell me how do I correct this? Thanks! * Cathy Hui <kaka.hui@gmail.com> wrote: [..] > WARNING: RunAsGid for MSP ignored, check group ids (egid=0, want=25) Wrong permissions on /usr/lib/sendmail, sh...

WARNING: RunAsGid for MSP ignored, check group ids (egid=0, want=25)
I am having issue with sendmail. This is what I saw as error mesg. WARNING: RunAsGid for MSP ignored, check group ids (egid=0, want=25) ============================== it's a solaris 8 host. the /etc/mail/submit.cf looks like this: O RunAsUser=smmsp O TrustedUser=smmsp /etc/passwd has the smmsp user: smmsp:x:25:25::/:/sbin/noshel ============================ Could someone tell me how do I correct this? Thanks! Cathy Hui wrote: > WARNING: RunAsGid for MSP ignored, check group ids (egid=0, want=25) > smmsp:x:25:25::/:/sbin/noshel Please check the permissions as stated in...

Software Update ignores Ignores
In Software Update I keep telling it to ignore iPhoto Update and Digital Camera Raw Compatibility, but they keep showing up every time I run it. Is it because I'm running SU as a non-admin? -- Barry Margolin, barmar@alum.mit.edu Arlington, MA *** PLEASE post questions in newsgroups, not directly to me *** *** PLEASE don't copy me on replies, I'll read them in the group *** In article barmar-1212C1.23183918112008@mara100-84.onlink.net, Barry Margolin at barmar@alum.mit.edu wrote on 11/18/08 11:18 PM: > In Software Update I keep telling it to ignore iPhoto Update and Digital...

MSP
Hello , I woul dlike to know if it's possible to set an MSP protection between 2 STM-1 cards but one is optical and the other electrical ? The goal : replace STM-1 electrical by Optical without hit traffic. Thanks Hallo/Bonjour Jordan, > I would like to know if it's possible to set an MSP protection > between 2 STM-1 cards but one is optical and the other electrical ? In theory this would be possible, but there may be vendor specific limitations, depending on the implementation and support by the element manager. > The goal : replace STM-1 electrical by Optica...

MSP
-- For Linux/Bash users: Eliminate spam from your life with the Mailbox-Sentry-Program. See the thread MSP on comp.mail.misc. Mailbox-Sentry-Program v.1e ------------------------------------------------------------------------ more newbie-friendly directions ----------- Thanks to Bernard Murphy ------------------------------------------------------------------------ MSP is a very simple utility comprised of a collection of scripts that use existing and excellent Linux/UNIX applications to form a shield against spam and harassment. It is almost infinitely ad...

MSP UNI+ALS=MSP BI
Can we say MSP unidirectional plus initiation of ALS is equal to MSP Bidirectional? Regards Hari Reddy On May 12, 7:17=A0pm, Hari Reddy <obul...@gmail.com> wrote: > Can we say MSP unidirectional plus initiation of ALS is equal to MSP > Bidirectional? No, you only get the same effect for LOS detected. MSP reacts on more defects and you have to consider the effect of intermediate stuff, like regens or OTN/DWDM equipment. A LOS defect might be translated into a replacement AIS signal. Also the effect of management commands is different: in uni-dir you cannot control the other dire...

Ignore
wasitmevideos@army.com wasitmevideos@yahoo.com ...

Ignore
Please excuse the noise. There appears to be some issues with posting to the list. I am am sending this message to help figure out the source of the issues. Thanks. ...

ignore me
ignore me Jeroen V. wrote: > ignore me Just this once or forever in all places? :-) ...

ignore me
.... as I am testing. But the advice is generally good anyway ;) ...

ignore
searching old thread ...

Why not ignore him?
Since this group now seems in danger of becoming completely dominated by Snit (evidently now under another alias) may I suggest that people simply ignore him? He will never go away as long as he keeps getting attention. That's what he likes. If he is ignored, the fun will go out of posting here, and he will go away. Evidently his posts are so outrageous that some people seem to feel that they must respond to him. But that is just playing his game. And the 3 or 4 people who keep arguing with him are accomplishing nothing. You can't out-reason an unreasonable person. Bob B. In...

..ignore..
...told ya.. On Mon, 06 Oct 2003 22:18:28 -0400, "Alan Browne" <"Alan Browne"@videotron.canospam> wrote: >..told ya.. There are TEST groups for this shit. ...

ignore
please ignore this post. jill ...

ignore
Just baiting the spammers... andrew@perforce.co.uk bob@perforce.co.uk fred@perforce.co.uk geoff@perforce.co.uk james@perforce.co.uk jane@perforce.co.uk peter@perforce.co.uk robin@perforce.co.uk roger@perforce.co.uk sue@perforce.co.uk tim@perforce.co.uk tom@perforce.co.uk ...

ignore
test ...

Ignorant
Sorry for ignorance but I don't seem to be able to find a way to retrieve Universal Time (GMT), and of course I don't mean by +/- my zone time. to the clock's local time . Any help will be appreciated Have you considered snagging the current time from an NIS time server, then adjusting the result via the local time zone? Some examples of good time servers are... time-a.timefreq.bldrdoc.gov time-b.timefreq.bldrdoc.gov time-c.timefreq.bldrdoc.gov "George" <geobas@ath.forthnet.gr> wrote in message news:1064236902.812319@athprx02... > Sorry for ignorance but I...

Ignore this
Testing. On Wed, 14 May 2008 21:34:56 +0000 (UTC), J. Sommers wrote: > Testing. Welcome to this Usenet newsgroup. The following is just an FYI and no response is needed. Since the post showed up here, the test failed. :) Do you know about the 400+ test groups on Usenet? The ones ending in .test. Some interesting information about test posts may be found in http://livinginternet.com/u/uu_test.htm Please use something like alt.test or misc.test for testing. For binary test, use something like alt.binaries.test For a more productive Usenet exeprience, please, read http://www.catb...

ignore it !
test --------------------------------- Yahoo! Photos Got holiday prints? See all the ways to get quality prints in your hands ASAP. ...

ignore this
lalalalalalalala lililililililililililil aaaaaaaauuuuuuuuaaaaaaaaaaaaaaa iiiiihaaaaaaa just trying if my news server works. On Mon, 29 Dec 2003 20:50:13 +0100, "Bohus Kral" <bohusk@host.sk> wrote: >lalalalalalalala lililililililililililil >aaaaaaaauuuuuuuuaaaaaaaaaaaaaaa iiiiihaaaaaaa > >just trying if my news server works. > Where's the Starglider when you need him? -- email address *is* valid, but probably won't get a reply. Use the reply to header On Mon, 29 Dec 2003 20:10:33 +0000, Lister <fache@blueyonder.co.uk> wrote: ...

ignore this
bonjure ignore this post. for an assessment. ...