On Sat, 25 Jun 2005, Alexander Dalloz wrote:
Am Sa, den 25.06.2005 schrieb Matthew Saltzman um 16:07:
In my freshly installed FC4,
$ ls -l /etc/aliases* -rw-r--r-- 1 root root 1512 Apr 25 12:48 /etc/aliases -rw-r----- 1 root smmsp 12288 Jun 24 20:27 /etc/aliases.db
so the fix for the original problem would just be
chown root /etc/aliases.db
The rest of the permissions were fine.
By which I meant, "as they are oringally installed," and also, "so newaliases will write the file."
Matthew Saltzman
The group ownership by smmsp of the aliases.db isn't correct, following the Sendmail documentation. Please see "FILE AND MAP PERMISSIONS" at top of /usr/share/doc/sendmail/README.
"If the permissions 0640 are used, be sure that only trusted users belong to the group assigned to those files. Otherwise, files should not even be group readable."
I even don't see a need for the MSP user to be able to read the aliases.db.
And "smmsp" is not a trusted user - and never should be one! In the past it has been one by the default Sendmail configuration, but that has been corrected by the maintainer after I informed him about this severe setup fault.
As a reference to former discussion:
https://www.redhat.com/archives/fedora-list/2004-January/msg06394.html
Alexander
Then surely this should be in Bugzilla as a security issue. BTW, FC3 and RHEL4 also have the permissions set as I indicated above.
-- Matthew Saltzman
Clemson University Math Sciences mjs AT clemson DOT edu http://www.math.clemson.edu/~mjs
