[Techtalk] Permission Denied
Almut Behrens
almut-behrens at gmx.net
Sat Nov 4 14:55:05 UTC 2006
On Sat, Nov 04, 2006 at 12:34:01AM -0800, Raquel wrote:
> I run a server with Debian Sarge with Sendmail, Apache and PHP4.3.10
>
> When I try to send email using web software being run on that same
> server, I get the following error.
>
> NOQUEUE: SYSERR(www-data):can not chdir(/var/spool/mqueue-client/):
> Permission denied
Hi,
as of v8.12 (sarge uses 8.13, so this applies), sendmail uses a split
MTA/MSP (Mail Transmission/Transfer Agent, Mail/Message Submission
Program) design to avoid having to run set-user-ID-root.
Of course, this is supposed to work out of the box... but if it
doesn't and you need to fix things yourself, it's essential to
understand the concepts involved :)
Thus I'd suggest you download the sendmail sources [1] and read the
file sendmail/SECURITY, which explains this rather well. There are
a few minor differences in configuration in Debian (e.g. MSP_QUEUE_DIR
is not /var/spool/clientmqueue, but /var/spool/mqueue-client, etc.).
Also see the script /usr/share/sendmail/update_sys (near the end), for
what UID/GID settings are being enforced in Debian).
Then I'd check whether all directory permissions and ownerships,
set-GID-on-execution bit and stuff are set up like they're supposed
to... (not meaning to sound snotty, but that's essentially what it
comes down to ;)
(An incorrect SASL setup might also be involved. Not sure though - just
an idea.)
If that doesn't get you anywhere, it would help us to have a few more
details about your config: what options have you specified when running
"sendmailconfig", what is the exact command that's being invoked from
the web application [2] (I suppose your're trying to send mail server-side
from some PHP application... thus the webserver's UID "www-data"), can
you send mail normally as a regular user?, and so on...
Good luck,
Almut
[1] e.g. from
http://security.debian.org/debian-security/pool/updates/main/s/sendmail/sendmail_8.13.4.orig.tar.gz
[2] using strace might help here, if you can't find out otherwise.
To ease this step, run apache as a _single_ process (option -X, IIRC),
so you'll know what PID to attach strace to...
P.S. if you're beginning to feel a little uncomfortable (security-wise),
after having fiddled around too much with the configs, permissions and
trusted users, you might want to make sure you're not inadvertendly
running an open relay, e.g. via http://www.abuse.net/relay.html
More information about the Techtalk
mailing list