DontInitGroups

DontInitGroups

Don't use initgroups(3) V8.7 and later

Just before executing any delivery agent (including the *include* delivery agent) and just before opening a ~/.forward file, sendmail sets its group and user identities as appropriate. To illustrate , consider the U= equate (U=). If the fax delivery agent has the U= equate set like this:

 U=fax:fax 

its A= program will be executed by the user fax who is in the group fax . In addition, sendmail calls the initgroups (3) system call to expand the list of groups to which the user belongs. In the case of fax , it might also belong to the groups faxadm and faxusers . The total result is that fax can execute, read, and write any files that have the appropriate group permissions set for any of the groups fax , faxadm , and faxusers .

This versatility, however, has a price. As group files get huge or as nis , nisplus , or hesiod services become slow (probably because they are also large), the initgroups (3) call can start to adversely affect sendmail 's performance.

When performance is a concern, the DontInitGroups option can be used to disable initgroups (3):

 O DontInitGroups=  bool    configuration file (V8.7 and later)  -ODontInitGroups=  bool    command line (V8.7 and later)  define(`confDONT_INIT_GROUPS',  bool)    mc configuration (V8.7 and later)  

The argument bool is of type Boolean . If it is missing, the default value is truedon't call initgroups (3). If the entire option is missing, the default value is falsedo call initgroups (3). See NO_GROUP_SET for a discussion of how NO_GROUP_SET determines whether this option also affects the getgrgid (3) system call.

The DontInitGroups option is not safe as of V8.8.4. Even if it is specified from the command line, it can cause sendmail to relinquish its special privileges.



Sendmail
sendmail, 4th Edition
ISBN: 0596510292
EAN: 2147483647
Year: 2002
Pages: 1174

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net