[Mimedefang] Strange error (only on Linux)
David F. Skoll
dfs at roaringpenguin.com
Thu May 23 09:14:16 EDT 2002
On Thu, 23 May 2002, James B. Huber wrote:
> On the Solaris box, I have the /usr/local/bin/mime* (prgs)
> all set-UID "smmsp" which is the user that the non-root portion
> of sendmail runs as....works just fine on the SUN.
Stop right now.
Turn of the set-UID bits on those programs.
The MIMEDefang programs are NOT intended to run set-UID. It is most
likely a HUGE security hole to run them like that.
> May 23 08:39:16 moses mimedefang-multiplexor: Slave 0 stderr: YOU
> HAVEN'T DISABLED SET-ID SCRIPTS IN THE KERNEL YET! FIX YOUR KERNEL, PUT
> A C WRAPPER AROUND THIS SCRIPT, OR USE -u AND UNDUMP!
That's a message from Perl itself, which is pickier on Linux than
on Solaris (probably the way the Perl executable was built, or maybe
Solaris does not support suid scripts.)
The proper way to run MIMEDefang as non-root is in the README.NONROOT in
the latest beta releases. Here's what it says. Note that these instructions
work only with 2.12-BETA-3 and later.
Running MIMEDefang as non-root
------------------------------
I recommend running MIMEDefang and the multiplexor as non-root. You
should create a dedicated user for MIMEDefang. In the examples, I'll
call this user "defang".
To run as defang:
1) Supply the "-U defang" option to mimedefang.
2) Supply the "-U defang" option to mimedefang-multiplexor.
3) Make the spool and quarantine directories owned by defang, with mode 700.
4) If you are using statistics logging in the default /var/log/mimedefang
directory, make that directory owned by defang with mode 755 or 700, depending
on your tastes.
--
David.
More information about the MIMEDefang
mailing list