[Mimedefang] Strange error (only on Linux)

[David F. Skoll]

On Thu, 23 May 2002, James B. Huber wrote:

>    But the point of running them SUID "smmsp" (the sendmail
> NON-root user) is that they have ZERO permissions except to
> write in their own "spool" directory (NOT sendmail's spool).

Really??  This is how my sendmail setup looks:

$ ls -ld /var/spool/clientmqueue
drwxrwx---    2 smmsp    smmsp        4096 May 23 08:21 /var/spool/clientmqueue

So a suid-smmsp program would allow writing of arbitrary files in the
clientmqueue directory.  This may not be a huge problem (after all,
that is how you submit mail), but my feeling is that files in that
directory are "trusted" by sendmail, and being able to write arbitrary
junk in the directory is probably not a good idea.

>    I'm not in a position to run "beta" code on my mailers
> so that's not an option.

OK.  2.12-final will be out soon. :-)  The "su" trick won't work
because then mimedefang and multiplexor won't have permissions to create
sockets in /var/run (unless you loosen the permission in /var/run or create
the sockets elsewhere.)

The new "-U" flag is designed to let the programs start as root (to create
the sockets), but then switch to an unpriviledged user to do actual work.

> about disabling SUID scripts in the kernel still makes no sense.
> This ISN'T the kernel, and there are very good reason to
> run programs SUID (as long as you're sure what you're doing).

Some kernels do not permit SUID scripts.  (That is, if they have to
invoke an interpreter program, they ignore SUID bits on the script.)
That's what Perl is complaining about.

Regards,

David.