f



RunAsUser for MSP ignored

hello,

i know that this problem has been covered in a number of places but after
following all the directions i still do not having a working sendmail.
well, that is not telling the full truth: sendmail works when mail is
originated from a client application (like mutt) but fails on the command
line with:

$ cat /etc/passwd | mail colliera
WARNING: RunAsUser for MSP ignored, check group ids (egid=100, want=25)
can not chdir(/var/spool/clientmqueue/): Permission denied
Program mode requires special privileges, e.g., root or TrustedUser.

now group 100 is "users" and 25 is smmsp.

i have the following two sendmail processes running:

$ ps -eo pid,uid,egid,egroup,args
 5795     0    25 smmsp    sendmail: accepting connections       
 5797    25    25 smmsp    sendmail: Queue runner@00:25:00 for /var/spool/clientmqueue

so both have effective GID of smmsp. the file/directory permissions i have
set up are:

-r-xr-sr-x  1 root smmsp 614488 2004-07-06 09:27 /usr/sbin/sendmail*
drwxrwx---  2 smmsp smmsp  80 2004-07-06 10:00 clientmqueue/
drwx------  2 root  root   48 2004-07-06 10:45 mqueue/
-r--r--r--  1 root bin   57214 2004-07-06 09:27 sendmail.cf
-r--r--r--  1 root bin   41135 2004-07-06 09:27 submit.cf

which are consistent with those prescribed in sendmail/SECURITY.

i am a bit puzzled why this is still not working as both the sendmail
processes should have access to the /var/spool/clientmqueue directory.

does anyone have any ideas?

i am using sendmail-8.13.0.

best regards,
andrew.

-- 
Andrew B. Collier
Antarctic Research Fellow                         tel: +27 31 2601157
Space Physics Research Institute                  fax: +27 31 2616550
University of KwaZulu-Natal, Durban, 4041, South Africa
0
colliera1 (5)
7/6/2004 8:56:10 AM
comp.mail.sendmail 13518 articles. 1 followers. jfretby (35) is leader. Post Follow

7 Replies
5783 Views

Similar Articles

[PageSpeed] 46

Andrew Collier wrote:
> i know that this problem has been covered in a number of places but after
> following all the directions i still do not having a working sendmail.
> well, that is not telling the full truth: sendmail works when mail is
> originated from a client application (like mutt) but fails on the command
> line with:
> 
> $ cat /etc/passwd | mail colliera
> WARNING: RunAsUser for MSP ignored, check group ids (egid=100, want=25)
> can not chdir(/var/spool/clientmqueue/): Permission denied
> Program mode requires special privileges, e.g., root or TrustedUser.
> 
> now group 100 is "users" and 25 is smmsp.
> 
> i have the following two sendmail processes running:
> 
> $ ps -eo pid,uid,egid,egroup,args
>  5795     0    25 smmsp    sendmail: accepting connections       
>  5797    25    25 smmsp    sendmail: Queue runner@00:25:00 for /var/spool/clientmqueue
> 
> so both have effective GID of smmsp. the file/directory permissions i have
> set up are:
> 
> -r-xr-sr-x  1 root smmsp 614488 2004-07-06 09:27 /usr/sbin/sendmail*
> drwxrwx---  2 smmsp smmsp  80 2004-07-06 10:00 clientmqueue/
> drwx------  2 root  root   48 2004-07-06 10:45 mqueue/
> -r--r--r--  1 root bin   57214 2004-07-06 09:27 sendmail.cf
> -r--r--r--  1 root bin   41135 2004-07-06 09:27 submit.cf
> 
> which are consistent with those prescribed in sendmail/SECURITY.
> 
> i am a bit puzzled why this is still not working as both the sendmail
> processes should have access to the /var/spool/clientmqueue directory.
> 
> does anyone have any ideas?
> 
> i am using sendmail-8.13.0.

1) Check which sendmail binary is used by "mail" program. It may use another 
"full path sendmail specification" [e.g. /usr/lib/sendmail ].

string `which mail` | grep sendmail

2) Check again if all permissions are set as described in
http://www.sendmail.org/secure-install.html

-- 
Andrzej [en:Andrew] Adam Filip anfi@priv.onet.pl anfi@xl.wp.pl
http://anfi.homeunix.net/ http://slashdot.org/~anfi
*Random Epigram* :
Since when do you have to tell the enemy that he has won ?
	-- Mazer in "Ender's Game" by Orson S. Card

0
anfi (2014)
7/6/2004 10:27:00 AM
> 1) Check which sendmail binary is used by "mail" program. It may use another 
> "full path sendmail specification" [e.g. /usr/lib/sendmail ].
> 
> string `which mail` | grep sendmail

okay, i get:

$ strings `which mail` | grep sendmail
/usr/sbin/sendmail
$ strings `which nail` | grep sendmail
/usr/sbin/sendmail

so, it is using the only sendmail binary on the system.

> 2) Check again if all permissions are set as described in
> http://www.sendmail.org/secure-install.html

the permissions are precisely as i laid out previously (those were from my
system, not copied from the documentation!).
0
colliera1 (5)
7/7/2004 6:50:09 AM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andrew Collier <colliera@adelie.ph.und.ac.za> writes:

>$ cat /etc/passwd | mail colliera
>WARNING: RunAsUser for MSP ignored, check group ids (egid=100, want=25)
>can not chdir(/var/spool/clientmqueue/): Permission denied
>Program mode requires special privileges, e.g., root or TrustedUser.

What happens if you use

	echo " test message" | /usr/sbin/sendmail colliera

>now group 100 is "users" and 25 is smmsp.

>$ ps -eo pid,uid,egid,egroup,args
> 5795     0    25 smmsp    sendmail: accepting connections       
> 5797    25    25 smmsp    sendmail: Queue runner@00:25:00 for /var/spool/clientmqueue

>so both have effective GID of smmsp. the file/directory permissions i have
>set up are:

>-r-xr-sr-x  1 root smmsp 614488 2004-07-06 09:27 /usr/sbin/sendmail*

Is it possible that the partition containing sendmail is mounted
with a "nosuid" option?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.6 (SunOS)

iD8DBQFA6+bmvmGe70vHPUMRAun/AKCCfpe9fBDsELHYll9CLa3GHE5EgACfZU0j
rIydhx6AXJLmUjs7UrlqVKk=
=m4VL
-----END PGP SIGNATURE-----

0
nn (690)
7/7/2004 12:04:57 PM
On Wed, 07 Jul 2004 12:04:57 +0000, Neil W Rickert wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Andrew Collier <colliera@adelie.ph.und.ac.za> writes:
> 
>>$ cat /etc/passwd | mail colliera
>>WARNING: RunAsUser for MSP ignored, check group ids (egid=100, want=25)
>>can not chdir(/var/spool/clientmqueue/): Permission denied
> What happens if you use
> 
> 	echo " test message" | /usr/sbin/sendmail colliera

excellent suggestion! it works... so i just re-installed nail (ie. command
line mail tool) and now all is well.

thanks very much!

-- 
Andrew B. Collier

Antarctic Research Fellow                         tel: +27 31 2601157
Space Physics Research Institute                  fax: +27 31 2616550
University of KwaZulu-Natal, Durban, 4041, South Africa

0
colliera1 (5)
7/7/2004 12:45:54 PM
okay, this gets weirder. this works fine:

$ cat /etc/passwd | mail colliera

however, when i try to give the email a subject line:

$ cat /etc/passwd | mail colliera -s "subject"
WARNING: RunAsUser for MSP ignored, check group ids (egid=100, want=25)
can not chdir(/var/spool/clientmqueue/): Permission denied
Program mode requires special privileges, e.g., root or TrustedUser.

i get an error.

what could be causing this?

-- 
Andrew B. Collier

Antarctic Research Fellow                         tel: +27 31 2601157
Space Physics Research Institute                  fax: +27 31 2616550
University of KwaZulu-Natal, Durban, 4041, South Africa

0
colliera1 (5)
7/8/2004 6:53:29 AM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andrew Collier <colliera@adelie.ph.und.ac.za> writes:

>however, when i try to give the email a subject line:

>$ cat /etc/passwd | mail colliera -s "subject"

The basic unix command scheme is:

	options come before arguments

Use

	cat /etc/passwd | mail -s "subject" colliera

>WARNING: RunAsUser for MSP ignored, check group ids (egid=100, want=25)
>can not chdir(/var/spool/clientmqueue/): Permission denied
>Program mode requires special privileges, e.g., root or TrustedUser.

The "mail" command is treating "-s" as an address, rather than as an
option flag.  When invoking sendmail, it sorts its addresses (as a
way of removing duplicates).  This sorting happens to put "-s"
first.  Sendmail sees the "-s" flag as an option.  It is a restricted
option.  For safety, sendmail drops its suid and sgid privileges, and
thus does not have permission to write to the queue directory.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.6 (SunOS)

iD8DBQFA7TblvmGe70vHPUMRAiwLAKDbRXt1XMPc+Jnt6fnp9+L/1FAsHgCgvkOV
rLnJNI1fyV6Oajy27Wm35wY=
=6wbO
-----END PGP SIGNATURE-----

0
nn (690)
7/8/2004 11:58:33 AM
> The basic unix command scheme is:
> 
> 	options come before arguments
> 
> Use
> 
> 	cat /etc/passwd | mail -s "subject" colliera
>
> The "mail" command is treating "-s" as an address, rather than as an
> option flag.  When invoking sendmail, it sorts its addresses (as a
> way of removing duplicates).  This sorting happens to put "-s"
> first.  Sendmail sees the "-s" flag as an option.  It is a restricted
> option.  For safety, sendmail drops its suid and sgid privileges, and
> thus does not have permission to write to the queue directory.

thank you! that is the most helpful thing anyone has told me for a very
long time!

-- 
Andrew B. Collier

Antarctic Research Fellow                         tel: +27 31 2601157
Space Physics Research Institute                  fax: +27 31 2616550
University of KwaZulu-Natal, Durban, 4041, South Africa

0
colliera1 (5)
7/8/2004 1:46:01 PM
Reply:

Web resources about - RunAsUser for MSP ignored - comp.mail.sendmail

Manual Pages: sudo
Manual Pages Man Page or Keyword Search: Man All Sections 1 - General Commands 2 - System Calls 3 - Subroutines 4 - Special Files 5 - File Formats ...

InfoSec Handlers Diary Blog - Sendmail vuln
SANS Internet Storm Center - A global cooperative cyber threat / internet security monitor and alert system. Featuring daily handler diaries ...

Resources last updated: 2/23/2016 12:17:26 PM