Sendmail recommended permissions for apache/php server
Polytropon
freebsd at edvax.de
Thu Apr 12 07:51:14 UTC 2012
On Thu, 12 Apr 2012 08:17:33 +0100, Matthew Seaman wrote:
> On 12/04/2012 02:49, Polytropon wrote:
> > On Wed, 11 Apr 2012 23:57:51 +0000, Ian Lord wrote:
> >> > I then got a different error in /var/log/messages
> >> > Apr 11 19:38:40 dev sendmail[41170]: NOQUEUE: SYSERR(www): can not write to queue directory /var/spool/clientmqueue/ (RunAsGid=0, required=25): Permission denied
>
> >> > I found very old threads saying to change the group of apache
> >> > to "smmsp" but I doubt it's a good idea.
>
> > No, not "change to", but you can _add_ apache (or whatever is
> > originating the error) to the smmsp group. Add it to "smmsp:*:25:"
> > in /etc/group.
>
> You should not be changing the ownership and permissions on any of the
> directories used by sendmail(8), or the group membership of any of the
> groups used by sendmail. Not even if you think you know what you are
> doing. This is extremely security sensitive, and getting it wrong means
> at minimum unprivileged users can forge e-mails untraceably[*].
You're right - as long as sendmail works properly (and is invoked
by whatever means sends e-mail out of apache / PHP), the present
group settings and permissions should be okay. Sendmail will
then properly run "as the smmsp group member" which will enable
it to properly access the queue directory.
> There is no reason for apache to have any sort of write permissions to
> /var/spool/clientmqueue -- that should only be accessible to sendmail,
> and sendmail is the only program that should ever use it.
I'm not aware of why a program should directly access the mail
queues, but maybe that's a "special" PHP feature. :-)
--
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...
More information about the freebsd-questions
mailing list