HPE Community
Operating System - HP-UX
1821052 Members
2407 Online
109631 Solutions
New Discussion юеВ

running 'newaliases' as a regular user - HPUX 11.31

 
PatRoy
Regular Advisor

тАО05-28-2008 05:30 AM

тАО05-28-2008 05:30 AM

running 'newaliases' as a regular user - HPUX 11.31

Hello. Running HPUX 11.31 here.

I've installed Mailman as a listserv instead of Majordomo. I've created it's own sendmail AliasFile under /etc/mail/mailman.aliases (chmod 644, own by a 'webtech' user).

Before, on my old server running Majordomo, the webtech user was able to modify it's aliases file and just run 'newaliases' to update the database. Now, he can't. Here's what I get:

Permission denied (real uid not trusted)
$ May 27 15:18:36 pscdweb1 sendmail[2010]: user 165 attempted to rebuild the alias map

So, I've added "Twebtech" to my sendmail.cf

Then I got:

can not chdir(/var/spool/mqueue/): Permission denied
Program mode requires special privileges, e.g., root or TrustedUser.

Looked at the /var/spool/mqueue rights and it was 700, owned by root. chmod that to 755 and tried again running newaliases:

newaliases: cannot open /etc/mail/aliases: Permission denied
hash map "Alias1": unsafe map file /etc/mail/mailman.aliases.db: Permission denied
dbm map "Alias1": unsafe map file /etc/mail/mailman.aliases: Permission denied
WARNING: cannot open alias database /etc/mail/mailman.aliases
Cannot create database for alias file /etc/mail/mailman.aliases

So, I don't get it.... Can anyone advise?? Am I missing anything??

Cheers. Pat.
0 Kudos
Reply
4 REPLIES 4
TTr
Honored Contributor

тАО05-28-2008 10:23 AM

тАО05-28-2008 10:23 AM

Re: running 'newaliases' as a regular user - HPUX 11.31

What command is invoked when mailman builds the aliases file? The /usr/sbin/aliases is a soft link to /usr/sbin/sendmail and when newaliases is invoked, sendmail runs as "sendmail -bi". There are no options to use a different aliases file other than the /etc/mail/aliases.

Also, the /var/spool/mqueue is 755 on my 11.00 and 11.11 servers but it is 700 on the 11.23 servers. Since sendmail is running as SUID-root and GUID-mail it should be 700. In addition for security purposes sendmail has internal checks to make up for the SUID-root mode. So changing the permissions and ownerships around may break the sendmail functionality altogether.

How did majordomo update its aliases file? Did it use it own aliases file and its own command or used the /etc/mail/aliases which has to be edited by root?
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО05-28-2008 10:35 AM

тАО05-28-2008 10:35 AM

Re: running 'newaliases' as a regular user - HPUX 11.31

Shalom,

newaliases is a root only command that can totally destroy sendmail security.

Best if you want a regular use it, they use sudo to make it happen so file perms don't get all messed up.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
PatRoy
Regular Advisor

тАО05-28-2008 10:43 AM

тАО05-28-2008 10:43 AM

Re: running 'newaliases' as a regular user - HPUX 11.31

Well, should have mentionned I've added the following to sendmail.cf:

O AliasFile=/etc/mail/mailman.aliases

Additionally, here's the version of my sendmail :

host1:/# swlist -l product | grep -i mail
MailUtilities B.11.31 User mail agents and related tools
Sendmail B.11.31 Mail Transfer Protocol daemons and utilities

My Majordomo installation currently runs on hpux 11.11, with sendmail:

host2:/# swlist -l product | grep -i mail
MailUtilities B.11.11 User mail agents and related tools
PHNE_33597 1.0 mailx(1) patch
PHNE_35484 1.0 sendmail(1M) 8.9.3 patch


Majordom had it's own alias file just like I had for mailman. The file was own my majordom user. Each time the users created a new list, they had to edit this file, and run 'newaliases', just like I'm doing. It's neither Majordomo or Mailman that takes care of that. You have to this portion by hand.

I managed to enable my webtech user to run newaliases on my 11.31 box by doing the following :

1) first ran newaliases as root to have the .db file created.

2) chown webtech /etc/mail/mailman.aliases.db

3) chmod g+rx,o+rx /var/spool/mqueue.

*Then webtech was able to run 'newaliases' However, it gives me some sort of warning which I don't think affects the system...

$ newaliases
newaliases: cannot open /etc/mail/aliases: Permission denied
/etc/mail/mailman.aliases: 20 aliases, longest 55 bytes, 1286 bytes total

Just strange the ownerships of /etc/mail/aliases are the same on 11.11 and 11.31 and it doesn't give that error on 11.11 but does so on 11.31. might be some security fix that sendmail fixed??


0 Kudos
Reply
PatRoy
Regular Advisor

тАО05-28-2008 10:44 AM

тАО05-28-2008 10:44 AM

Re: running 'newaliases' as a regular user - HPUX 11.31

Perhaps using sudo would be a better approach...


0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.