php mail() function not working
Keith Mastin
kmastin-PzQIwG9Jn9VAFePFGvp55w at public.gmane.org
Wed Oct 8 01:55:00 UTC 2003
<quote who="Fraser Campbell">
> On Tuesday 07 October 2003 12:01, serge_ss-rieW9WUcm8FFJ04o6PK0Fg at public.gmane.org wrote:
>> Well, the security implications are understandable, but what's the
>> solution if sendmail and other stuff are run under apache user, and su
>> .... -c '/usr/sbin/sendmail -t -i' doesn't work. The only other
>> solution I see, is to write a stub that would accept input from php
>> and then send it to postfix under different privileges.
The pipe solution we were talking about. I'm not convinced it's
necessary. I still think the hint is in the php compilation instructions,
to compile php with user privileges for sendmail.
> /usb/sbin/sendmail can be run by any user on the system, no need to su,
> no need for it to be suid/sgid (we're talking postfix systems here not
> necessarily others).
My sendmail binary is set 755, so yes, it should be executable by any
user. If executed by apache though, the process hangs at the handoff to
postdrop.
> Programs such as /bin/mail, pine, mutt, php, etc.
> all use this program directly, users running those programs should not
> be members of the postdrop group.
>
> As I understand it, /usr/sbin/sendmail passes mail to a program called
> postdrop for further processing. Taking a stab at Keith's problem I
> guessed that his postdrop binary is not setgid postdrop, if that is the
> case he will definitely get a permission denied message when running
> /usr/sbin/sendmail (and consequently postdrop).
-rwxr-sr-x 1 root postdrop 359703 Sep 10 15:32 /usr/sbin/postdrop
> On a redhat system you should probably have these permissions seem
> typical:
>
> /usr/sbin/sendmail.postfix, owner root:root, mode 555 (or 755)
755 root
> /usr/sbin/postdrop, owner root:postdrop, mode 2555 (or 2775)
2755 root.postdrop
> /var/spool/postfix/maildrop/, owner postfix:postdrop, mode 730
630 postfix.postdrop, reset to 1730
That was so simple, and it bugs me that it wasn't documented anywhere. I
have (and read/refer to) the Blum book, I'm a member of the users list,
read all the docs pretty much extensively, yet there's no replacement for
good old tlug. :)
Unfortunately, it didn't fix the problem. Unless apache is a member of the
postfix and postdrop groups, the message hangs in a memory process because
of permissions problems.
Throwing another curve ball is the fact that mod_auth_pam is needed for
.htaccess for hundreds of users on 2 domains hosted on the server. I had
to change the user that apache runs under from apache to shadow-readers.
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list