Re: mailq & trusted user

To: Stefano Zacchiroli <zack@cs.unibo.it>
Cc: <debian-devel@lists.debian.org>
Subject: Re: mailq & trusted user
From: Richard A Nelson <cowboy@debian.org>
Date: Wed, 25 Apr 2001 16:05:20 -0400 (EDT)
Message-id: <[🔎] Pine.LNX.4.33.0104251554000.4341-100000@badlands.lexington.ibm.com>
In-reply-to: <[🔎] 20010425213757.A13315@students.cs.unibo.it>

On Wed, 25 Apr 2001, Stefano Zacchiroli wrote:

> With new sendmail 8.11.3+8.12.0.Beta7-3 executing 'mailq' answer me:
>
>    can not chdir(/var/spool/mqueue/): Permission denied
>    Program mode requires special privileges, e.g., root or TrustedUser.
>
> from this message it seems that adding the user to
> /etc/mail/trusted-users can solve the problem, but this is _not_ the
> case !
>
> In fact doing strace of mailq it's' clear that 'mailq' attempt to enter
> /var/spool/mqueue/ dir that is readable/executable only by root and mail
> group members'.
>
> So, why this mention to TrustedUser ???

There are two different notions of trust:
 1) TrustedUser: able to own databases and start sendmail (ie 'mail')
 2) trustedusers: able to set whatever from line and have it *not*
    marked as a forgery attempt (ie uucp, majordomo)

This whole mess is one of the problems with the MTA/MSP split, making
mailq, etc non-suid.

Here are the problems I'm struggling with in regards to the split:
 *) mailq, runq, etc now need root - probably ok for runq, but people
    have been accustomed to doing mail from user accounts.  I can
    make these commands wrapper scripts that look at both MSP and
    MTA queues, but will that adversly impact folk who expect to
    parse the output ?

 *) mail, etc, now only deal with the MTA queues, and people have
    gotten confused, thinking mail has disappeared, when infact it
    is in /var/spool/mqueue-client instead of /var/spool/mqueue.

 *) is MSP a viable alternative to a nullclient/smarthost setup?
    what level of functionality should the MSP have -- its currently
    setup to *only* deal with the MTA on localhost.

There are probably others...  I've been banging my head against the
wall on too many problems lately - got a few problems fixed that
hopefully made todays dinstall run (haven't checked yet), and a few
extensions (like queue-aging) I'm working on, so I'm kinda muddled
for the nonce ;)

-- 
Rick Nelson
<Knghtbrd> RoboHak - okay, the patch isn't broken, but my brain
           apparently is
<wc> that's nothing new (;
<Knghtbrd> wc - hush.
<Knghtbrd> =>

Reply to:

References:
- mailq & trusted user
  - From: Stefano Zacchiroli <zack@cs.unibo.it>

Prev by Date: Re: 2.4.x Kernel, ECN And Problem Websites
Next by Date: Re: 2.4.x Kernel, ECN And Problem Websites
Previous by thread: mailq & trusted user
Next by thread: auditd as logrotate replacement?
Index(es):
- Date
- Thread