From: Anthony Howe
Date: 2006-11-07 04:15:47 -0500
Subject: Re: ...failed to open "/etc/mail/access.db": Permission
More information..: http://www.milter.info/#Support
Quentin Campbell wrote:
> This all begs the question however as to why 'access.db' continued to be
> accessible on one set of machines and not another and why the problem
> was apparently triggered by updating milter-ahead and milter-link.
My previous message about "create then move" should have answered that.
If the access.db is created by some cron job, it will probably have the
permissions of that job (root:wheel or root:root) typically, which of
course looses the r/o smmsp group permissions recommended by sendmail
for the access.db file.
I simply assume that either the admins (if they role their own) or
package maintainers assume a different security than what either
sendmail or I recommend.
One solution to avoid the whole issue, though not recommended, is to set
one or both of user=root or group=root options for the milters and
have them simply run as root user all the time (I refer you to a Marvin
the Martian quote http://www.dailywav.com/0600/kaboom.wav) or just as
the root/wheel group instead.
While the communications between sendmail and milter might be a local
unix domain socket, they are processing unknown content from the wild
and so buffer overflow hacks, stack busting hack, etc. should be a concern.
My guess as to why some machines and not others is a) the already
mentioned process ownership & file permission differences across the
machines; or b) simply not ever machine's access.db updates in sync with
a master copy; or c) that the milter is running as root already on some
machines so as not to be noticed; or d) if you're using NFS to make
available access.db, then you're probably facing the age old problem
concerning differences in NFS file locking or some variant there of.
Just some thoughts as to possible reasons.
Anthony C Howe Skype: SirWumpus SnertSoft
+33 6 11 89 73 78 AIM: SirWumpus Sendmail Milter Solutions
http://www.snert.com/ ICQ: 7116561
Copyright 2009, 2012 by SnertSoft. All rights reserved.