From owner-freebsd-questions@FreeBSD.ORG Thu Apr 12 07:51:13 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id F02B4106566B; Thu, 12 Apr 2012 07:51:13 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from mx02.qsc.de (mx02.qsc.de [213.148.130.14]) by mx1.freebsd.org (Postfix) with ESMTP id B03EE8FC0A; Thu, 12 Apr 2012 07:51:13 +0000 (UTC) Received: from r56.edvax.de (port-92-195-101-40.dynamic.qsc.de [92.195.101.40]) by mx02.qsc.de (Postfix) with ESMTP id 8A2B41E75F; Thu, 12 Apr 2012 09:51:10 +0200 (CEST) Received: from r56.edvax.de (localhost [127.0.0.1]) by r56.edvax.de (8.14.5/8.14.5) with SMTP id q3C7p9WV004046; Thu, 12 Apr 2012 09:51:09 +0200 (CEST) (envelope-from freebsd@edvax.de) Date: Thu, 12 Apr 2012 09:51:09 +0200 From: Polytropon To: Matthew Seaman Message-Id: <20120412095109.63ce0715.freebsd@edvax.de> In-Reply-To: <4F86818D.8000402@FreeBSD.org> References: <20120412034932.b6b7de0a.freebsd@edvax.de> <4F86818D.8000402@FreeBSD.org> Organization: EDVAX X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: Sendmail recommended permissions for apache/php server X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Polytropon List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Apr 2012 07:51:14 -0000 On Thu, 12 Apr 2012 08:17:33 +0100, Matthew Seaman wrote: > On 12/04/2012 02:49, Polytropon wrote: > > On Wed, 11 Apr 2012 23:57:51 +0000, Ian Lord wrote: > >> > I then got a different error in /var/log/messages > >> > Apr 11 19:38:40 dev sendmail[41170]: NOQUEUE: SYSERR(www): can not write to queue directory /var/spool/clientmqueue/ (RunAsGid=0, required=25): Permission denied > > >> > I found very old threads saying to change the group of apache > >> > to "smmsp" but I doubt it's a good idea. > > > No, not "change to", but you can _add_ apache (or whatever is > > originating the error) to the smmsp group. Add it to "smmsp:*:25:" > > in /etc/group. > > You should not be changing the ownership and permissions on any of the > directories used by sendmail(8), or the group membership of any of the > groups used by sendmail. Not even if you think you know what you are > doing. This is extremely security sensitive, and getting it wrong means > at minimum unprivileged users can forge e-mails untraceably[*]. You're right - as long as sendmail works properly (and is invoked by whatever means sends e-mail out of apache / PHP), the present group settings and permissions should be okay. Sendmail will then properly run "as the smmsp group member" which will enable it to properly access the queue directory. > There is no reason for apache to have any sort of write permissions to > /var/spool/clientmqueue -- that should only be accessible to sendmail, > and sendmail is the only program that should ever use it. I'm not aware of why a program should directly access the mail queues, but maybe that's a "special" PHP feature. :-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...