[Mimedefang] Strange error (only on Linux)
James B. Huber
jbh at gencon.com
Thu May 23 09:31:27 EDT 2002
But the point of running them SUID "smmsp" (the sendmail
NON-root user) is that they have ZERO permissions except to
write in their own "spool" directory (NOT sendmail's spool).
This is in accordence with how Sendmail says to setup their
programs and ANY milters etc and is done expressly to
I'm not in a position to run "beta" code on my mailers
so that's not an option. I could "su -c mulpiplexor .....opts....
USER" if that would make Perl happy....although why Perl is beefing
about disabling SUID scripts in the kernel still makes no sense.
This ISN'T the kernel, and there are very good reason to
run programs SUID (as long as you're sure what you're doing).
So are you telling me this is "Perl" doing this on it's own ?
Hmmm, it doesn't beef about it on me SUN box (same 5.6.1 perl)
perhaps I need to rebuild perl from source and ditch the RH
RPM of it ?
On 2002.05.23 09:14 David F. Skoll wrote:
> On Thu, 23 May 2002, James B. Huber wrote:
> > On the Solaris box, I have the /usr/local/bin/mime* (prgs)
> > all set-UID "smmsp" which is the user that the non-root portion
> > of sendmail runs as....works just fine on the SUN.
> Stop right now.
> Turn of the set-UID bits on those programs.
> The MIMEDefang programs are NOT intended to run set-UID. It is most
> likely a HUGE security hole to run them like that.
> > May 23 08:39:16 moses mimedefang-multiplexor: Slave 0 stderr: YOU
> > HAVEN'T DISABLED SET-ID SCRIPTS IN THE KERNEL YET! FIX YOUR KERNEL,
> > A C WRAPPER AROUND THIS SCRIPT, OR USE -u AND UNDUMP!
> That's a message from Perl itself, which is pickier on Linux than
> on Solaris (probably the way the Perl executable was built, or maybe
> Solaris does not support suid scripts.)
> The proper way to run MIMEDefang as non-root is in the README.NONROOT
> the latest beta releases. Here's what it says. Note that these
> work only with 2.12-BETA-3 and later.
> Running MIMEDefang as non-root
> I recommend running MIMEDefang and the multiplexor as non-root. You
> should create a dedicated user for MIMEDefang. In the examples, I'll
> call this user "defang".
> To run as defang:
> 1) Supply the "-U defang" option to mimedefang.
> 2) Supply the "-U defang" option to mimedefang-multiplexor.
> 3) Make the spool and quarantine directories owned by defang, with
> mode 700.
> 4) If you are using statistics logging in the default
> directory, make that directory owned by defang with mode 755 or 700,
> on your tastes.
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
James B. Huber jbh at gencon.com
More information about the MIMEDefang