Sendmail recommended permissions for apache/php server

[Polytropon]

On Thu, 12 Apr 2012 08:17:33 +0100, Matthew Seaman wrote:
> On 12/04/2012 02:49, Polytropon wrote:
> > On Wed, 11 Apr 2012 23:57:51 +0000, Ian Lord wrote:
> >> > I then got a different error in /var/log/messages
> >> > Apr 11 19:38:40 dev sendmail[41170]: NOQUEUE: SYSERR(www): can not write to queue directory /var/spool/clientmqueue/ (RunAsGid=0, required=25): Permission denied
> 
> >> > I found very old threads saying to change the group of apache
> >> > to "smmsp" but I doubt it's a good idea.
> 
> > No, not "change to", but you can _add_ apache (or whatever is
> > originating the error) to the smmsp group. Add it to "smmsp:*:25:"
> > in /etc/group.
> 
> You should not be changing the ownership and permissions on any of the
> directories used by sendmail(8), or the group membership of any of the
> groups used by sendmail.  Not even if you think you know what you are
> doing.  This is extremely security sensitive, and getting it wrong means
> at minimum unprivileged users can forge e-mails untraceably[*].

You're right - as long as sendmail works properly (and is invoked
by whatever means sends e-mail out of apache / PHP), the present
group settings and permissions should be okay. Sendmail will
then properly run "as the smmsp group member" which will enable
it to properly access the queue directory.



> There is no reason for apache to have any sort of write permissions to
> /var/spool/clientmqueue -- that should only be accessible to sendmail,
> and sendmail is the only program that should ever use it.

I'm not aware of why a program should directly access the mail
queues, but maybe that's a "special" PHP feature. :-)




-- 
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...