http://bugzilla.opensuse.org/show_bug.cgi?id=1203340 http://bugzilla.opensuse.org/show_bug.cgi?id=1203340#c3 Dr. Werner Fink <werner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |matthias.gerstner@suse.com Flags| |needinfo?(matthias.gerstner | |@suse.com) --- Comment #3 from Dr. Werner Fink <werner@suse.com> --- (In reply to Matthias Gerstner from comment #2)

So this entry here:

a+ /run - - - - u:mail:rwx,g:mail:rwx

is a bit over the top. This would allow the mail user and group to do what they want below /run. That probably even allows a local root exploit vector the one way or the other from mail to root.

If /run/sendmail is already created via systemd-tmpfiles, then why does mail:mail need write access in /run?

This file is not coming from upstream but from our packaging it looks like, right?

Normally sendmail would use /var/run but this is /run with systemd and this leads to error messages as well as sometimes not running service. Sep 15 09:54:37 boole sendmail[1483]: daemon could not open control socket /var/run/sendmail/control: Group writable directory If I change permissions I see Sep 15 16:28:42 boole sendmail[31011]: daemon could not open control socket /var/run/sendmail/control: Permission denied I simply want to have a fix which enables sendmail to do its job after reboot -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1203340 http://bugzilla.opensuse.org/show_bug.cgi?id=1203340#c5 --- Comment #5 from Dr. Werner Fink <werner@suse.com> --- But a socket for daemon control noether:~ # ll -rt /run/sendmail -d drwxr-x--T+ 2 root mail 60 Sep 15 16:39 /run/sendmail noether:~ # ll -rt /run/sendmail -d drwxr-x--T+ 2 root mail 60 Sep 15 16:39 /run/sendmail -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1203340 http://bugzilla.opensuse.org/show_bug.cgi?id=1203340#c7 --- Comment #7 from Dr. Werner Fink <werner@suse.com> --- Created attachment 861509 --> http://bugzilla.opensuse.org/attachment.cgi?id=861509&action=edit /usr/lib/systemd/system/sendmail.service from my TW After some debugging I've identified same races for sendmail.pid file and problems due not writable /etc/aliases.db ... What I still want is to use systemd-tmpfiles-setup.service to replace the part of creating the directory /run/sendmail as a place for the control socket ... which is done in /etc/mail/system/sm.pre -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1203340 http://bugzilla.opensuse.org/show_bug.cgi?id=1203340#c10 --- Comment #10 from Dr. Werner Fink <werner@suse.com> --- (In reply to Dr. Werner Fink from comment #9)

... das Problem ist

/etc/mail/system/ root:root 0755

... ist unter server:mails/sendmail zu sehen.

Zur Zeit l�uft der Scan nach der Belegung von Port 25 aka smtp f�r sendmail-client.service ins timeout ... und das obwohl sendmail.service l�uft

OK ... Problem gefunden und behoben -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1203340 http://bugzilla.opensuse.org/show_bug.cgi?id=1203340#c12 --- Comment #12 from Dr. Werner Fink <werner@suse.com> --- [ 243s] sendmail.x86_64: W: permissions-dir-without-slash /etc/mail/auth [ 243s] sendmail.x86_64: W: permissions-dir-without-slash /etc/mail/certs [ 243s] sendmail.x86_64: W: permissions-dir-without-slash /etc/mail/system [ 243s] sendmail.x86_64: W: permissions-dir-without-slash /usr/libexec/sendmail.d/bin [ 243s] sendmail.x86_64: W: permissions-dir-without-slash /var/spool/mqueue [ 243s] the entry in the permissions file refers to a directory. Please contact [ 243s] security@suse.de to append a slash to the entry in order to avoid security [ 243s] problems. Please refer to [ 243s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for [ 243s] more information. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1203340 http://bugzilla.opensuse.org/show_bug.cgi?id=1203340#c14 Dr. Werner Fink <werner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |filippo.bonazzi@suse.com, | |jsegitz@suse.com, | |paolo.perego@suse.com --- Comment #14 from Dr. Werner Fink <werner@suse.com> --- Can anyone of the added guys in the Carbin Copy list ask one of my questions and e.g. change the sha256 for sendmails permsissions files (or better add a second check to allow both new and old sendmail packages to build) -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1203340 http://bugzilla.opensuse.org/show_bug.cgi?id=1203340#c18 --- Comment #18 from OBSbugzilla Bot <bwiedemann+obsbugzillabot@suse.com> --- This is an autogenerated message for OBS integration: This bug (1203340) was mentioned in https://build.opensuse.org/request/show/1007830 Factory / rpmlint -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1203340 http://bugzilla.opensuse.org/show_bug.cgi?id=1203340#c21 Paolo Perego <paolo.perego@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(paolo.perego@suse | |.com) | --- Comment #21 from Paolo Perego <paolo.perego@suse.com> --- Yes they are -- You are receiving this mail because: You are on the CC list for the bug.