[milters] Archive

Lists Index Date Thread Search

Article: 1236
From: Anthony Howe
Date: 2006-11-07 04:15:47 -0500
Subject: Re: ...failed to open "/etc/mail/access.db": Permission

Removal...........: milters-request@milter.info?subject=remove
More information..: http://www.milter.info/#Support

Quentin Campbell wrote:
> This all begs the question however as to why 'access.db' continued to be
> accessible on one set of machines and not another and why the problem
> was apparently triggered by updating milter-ahead and milter-link.

My previous message about "create then move" should have answered that. 
If the access.db is created by some cron job, it will probably have the 
permissions of that job (root:wheel or root:root) typically, which of 
course looses the r/o smmsp group permissions recommended by sendmail 
for the access.db file.

I simply assume that either the admins (if they role their own) or 
package maintainers assume a different security than what either 
sendmail or I recommend.

One solution to avoid the whole issue, though not recommended, is to set 
  one or both of user=root or group=root options for the milters and 
have them simply run as root user all the time (I refer you to a Marvin 
the Martian quote http://www.dailywav.com/0600/kaboom.wav) or just as 
the root/wheel group instead.

While the communications between sendmail and milter might be a local 
unix domain socket, they are processing unknown content from the wild 
and so buffer overflow hacks, stack busting hack, etc. should be a concern.

My guess as to why some machines and not others is a) the already 
mentioned process ownership & file permission differences across the 
machines; or b) simply not ever machine's access.db updates in sync with 
a master copy; or c) that the milter is running as root already on some 
machines so as not to be noticed; or d) if you're using NFS to make 
available access.db, then you're probably facing the age old problem 
concerning differences in NFS file locking or some variant there of.

Just some thoughts as to possible reasons.

Anthony C Howe          Skype: SirWumpus                    SnertSoft
+33 6 11 89 73 78         AIM: SirWumpus    Sendmail Milter Solutions
http://www.snert.com/     ICQ: 7116561

Lists Index Date Thread Search