Cyrus-SASL + sendmail 8.12.9 + "group writable file"

[Scot W. Hetzel]

From: "Hajimu UMEMOTO" <ume at mahoroba.org>
> >>>>> "Scot W. Hetzel" <hetzels at westbend.net> said:
>
> hetzels> From: "David Babler" <dbabler at rigel.orionsys.com>
> > Basic problem: sendmail errors with permissions/ownerships on
> > /usr/local/etc/sasldb
> >
> > Symptom:
> >  maillog entry "error: safesasl(/usr/local/etc/sasldb) failed: Group
> > readable file"
> >
> >
> hetzels> We found the problem, the initial sendmail mail submission
program was
> hetzels> causing these errors to occur when sending mail from the local
system.  To
>
So far I could only duplicate this problem when using PINE (mail/pine4) to
send the e-mail.  I was unable to get the problem to occur with the mail or
sendmail commands.  I also tried telneting to ports 25 & 587 to send a test
message and the problem didn't occur either (I didn't use the AUTH mech
command, as I wasn't sure how to enter the user name & password for the
PLAIN or LOGIN mechs).

> Though I'm using SASL2 and not tested SASL1, I cannot see such
> problem.  I think that MSP doesn't see sasldb2? unless you do enable
> SMTP AUTH in submit.mc, and you don't need to have such configuration
> by MSP.
>
No changes were made to the [freebsd.,]submit.mc files as installed from the
FreeBSD sources.

> hetzels> solve this problem you need to put the following into the
submit.mc file
> hetzels> that you use on your system (i.e. freebsd.submit.mc):
>
> hetzels>     define(`confRUN_AS_USER',`smmsp:mail')dnl
>
> This is odd.  The sendmail binary is not setuid to root, anymore.  I
> believe sendmail as MSP cannot change its user unless invoking from
> root.
>
The feature/msp.m4 file by default defines confRUN_AS_USER to the smmsp
user, we needed to add the group 'mail' so that we wouldn't get a permission
error on the sasldb file, since this file is set cyrus:mail and perms 640.
This is the only reason for specifing group mail.

Scot