RunAsUser

Previous page
Table of content
Next page
RunAsUser
Run as nonroot (on a firewall) V8.8 and later

On firewalls, for reasons of additional security, it is often desirable to run sendmail as a user other than root . Beginning with V8.8 sendmail , you can accomplish this by using the RunAsUser option: 

 O RunAsUser=  user: group    configuration file (V8.8 and later)  -ORunAsUser=  user: group    command line (V8.8 and later)  define(`confRUN_AS_USER', `  user: group')    mc configuration (V8.8 and later)

Here, user is either the uid number of the identity you want sendmail to run under, or a symbolic name for that identity. If a symbolic name is specified and if that name cannot be looked up in the passwd (5) file, sendmail prints the following error: 

 readcf: option RunAsUser: unknown user  bad symbolic name here

If the symbolic name is found in the passwd (5) file, the uid and gid that sendmail will run under are set from that file.

The : , if it is present, signals to sendmail that you also intend to specify a group identity.

The group is either the numeric gid that you want sendmail to run as, or a symbolic name for a group. If it is a symbolic name, that name is looked up in the group (5) file. If it is not found in that file, the following error is printed: 

 readcf: option RunAsUser: unknown group  bad group name here

If the symbolic name is in that file, sendmail will run under the gid found there.

The sendmail program assumes the identity specified just after the configuration file is read for all but the daemon mode. As a daemon, sendmail remains root to listen for incoming SMTP connections. Each time it receives a connection, it validates that connection (Section 7.1.1), then fork (2)s. The child then processes the incoming message. Immediately after the fork (and before any data is read from or written to the connection), the child assumes the identity specified by this RunAsUser option.

Note that running as non- root can lead to problems, especially on machines that do more than simply relay mail between networks. As non- root , sendmail might not be able to read some :include: files, will certainly not be able to read protected ~/.forward files, and won't be able to save messages to the queue, unless permissions are relaxed to allow the non- root user such access. This option is intended to be used on a firewall machine. It should definitely not be used on nonfirewall machines. [58]

[58] Through careful tuning and attention to details, you might be able to get a serviceable sendmail system to run non- root . Others have done this, but details are not available as of this writing.

The RunAsUser option is not safe. If specified from the command line, it can cause sendmail to relinquish its special privileges.


Previous page
Table of content
Next page
Sendmail
sendmail, 4th Edition
ISBN: 0596510292
EAN: 2147483647
Year: 2002
Pages: 1174
Authors: Bryan Costales, Claus Assmann, George Jansen, Gregory Neil Shapiro
BUY ON AMAZON
High-Speed Signal Propagation[c] Advanced Black Magic
Image Processing with LabVIEW and IMAQ Vision
MySQL Clustering
File System Forensic Analysis
Extending and Embedding PHP
Telecommunications Essentials, Second Edition: The Complete Global Source (2nd Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy