Mailinglist Archive: opensuse-security (343 mails)

< Previous Next >
RE: [suse-security] Sendmail with amavis
  • From: Boris Lorenz <bolo@xxxxxxx>
  • Date: Wed, 11 Jul 2001 18:03:38 +0200 (MEST)
  • Message-id: <XFMail.010711180338.bolo@xxxxxxx>
Hi,

On 11-Jul-01 Paco wrote:
> Hi
>
> sorry but my english is no good
>
> When I start sendmail, i get the following messages in log file:
>
> Daemon could not open control socket /var/run/sendmail/control: Group
> writable directory
>
> Sendmail starts ok.

sendmail, for security reasons, does not like the directory /var/run/sendmail
or /var/run to be in mode 775. The configuration option which makes sendmail
less picky about these permissions is DontBlameSendmail. If enabled, sendmail
does not check any permissions whatsoever. This is no good idea because you may
open your system to serious security holes if your permissions, e. g. in the
home dirs of your users, are badly set. This way, all group-members (like
"users") could create and/or modify .forward-files to do all sorts of nasty
things...

You can set the permissions of /var/run to 755 (instead of 775) in
/etc/permissions and manually change the perms of /var/run afterwards. That
way, SuSEconfig/seccheck does not change the perms back to 775.

However, be careful, some programs may need the perms of 775; do some tests
after you've changed permissions.

Btw., the reason why the option mentioned above is called "DontBlameSendmail"
is that you should not blame the sendmail.org team for any security breaches
taking place after implementing this option... ;)

[...]
> Anyone can help me?
>
> Thanks
[...]

---
Boris Lorenz <bolo@xxxxxxx>
System Security Admin *nix - *nux
---

< Previous Next >
References