Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

A login script to fix sendmail permissions UNIX
I have seen a bunch of different threads on different mailing lists regarding problems with Sendmail on OS X because of permission problems. To make life easier, I created this StartupItem to deal with the problem. This has been tested on 10.1.4. I run postfix instead of Sendmail, so this isn't an issue for me, but in the interest of being helpful, here's a fix.

This startup item fixes the permissions on /, /etc and /etc/mail so that Sendmail (as distributed with 10.1.4 at least) will run. Read the rest of the article for the scripts...

[Editor's note: I had a minor database glitch this morning, and I just noticed that this article was under my by-line. I have now corrected it to reflect the original submitter; my apologies for the incorrect attribution!]

To install this script, log in as an administrator and create a folder named KeepSendmailHappy in /Library/StartupItems. If your system doesn't have /Library/StartupItems, go ahead and make it, but make sure you get the spelling correct. Once created, 'cd' into the new KeepSendmailHappy folder. Create a file called KeepSendmailHappy with the following contents:
#!/bin/sh
#
# Fix permissions on /, /etc and /etc/mail to keep Sendmail happy

. /etc/rc.common

case "$1" in
start)
ConsoleMessage "Fixing permissions on /, /etc and /etc/mail"
chmod g-w / /etc /etc/mail
;;
esac

exit 0
Then, sudo chmod 755 KeepSendmailHappy. Now create a file named StartupParameters.plist with the following contents:
{
Description = "Keep Sendmail Happy";
Provides = ("HappySendmail");
Requires = ("Resolver");
OrderPreference = "None";
Messages =
{
start = "Fixing permissions on /, /etc and /etc/mail";
stop = "Fixing permissions on /, /etc and /etc/mail";
restart = "Fixing permissions on /, /etc and /etc/mail";
};
}
The latest version of this script is always available for download at apesseekingknowledge.net.
    •    
  • Currently 1.00 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (1 vote cast)
 
[4,735 views]  

A login script to fix sendmail permissions | 11 comments | Create New Account
Click here to return to the 'A login script to fix sendmail permissions' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Enough Permissions?
Authored by: CyborgSam on May 05, '02 04:37:16PM

The hint awhile back "Create a private mail server" changes these:

chmod go-w / /etc /etc/mail /usr /var /var/spool /var/spool/mqueue
chown root / /etc /etc/mail /usr /var /var/spool /var/spool/mqueue

This hint only changes:

chmod g-w / /etc /etc/mail

Where the others eliminated for good reason? The first hint has been working AOK for me, I do admit that modifying the actual sendmail startup isn't as clean as adding a startup item.

Also, is the new startup item executed before or after sendmail starts? If after, sendmail might quit if the permissions are not correct...



[ Reply to This | # ]
Enough Permissions?
Authored by: robh on May 05, '02 05:17:29PM

I only ever fix '/' and that's enough for my sendmail to keep working.

One thing to watch out for relying on scripts like these is that upgrades such as iPhoto 1.1 clobber the permissions on '/' but they don't need a reboot, so incoming mail can't be delivered until you notice or do a reboot.



[ Reply to This | # ]
Why not just change sendmail?
Authored by: saint.duo on May 05, '02 07:07:52PM
In the book "Mac OS X Unleashed", the author talks about having a group writable directory (as OS X does) and sendmail not liking it. His fix (and to me, this is more elegant, as updates and such don't break it) is to change the line:
#0 DontBlameSendmail=safe
to
0 DontBlameSendmail=GroupWritableDirPathSafe
in the /etc/mail/sendmail.cf file.

[ Reply to This | # ]
Why not just change sendmail?
Authored by: maclaw on May 05, '02 07:16:41PM

There is a legitimate security reason why sendmail does not like group writable directories. You are basically just telling sendmail to ignore it's better judgment by using that alteration.

As a general rule, it's probably bad to invoke any option in a program where the actual name of the option itself involves the words DontBlameProgramName, or something to that effect. Could there be a stronger suggestion that this is not an advisable option to be invoking?



[ Reply to This | # ]
Re: Why not just change sendmail?
Authored by: saint.duo on May 05, '02 08:08:30PM

As an exercise in curiosity (and me wanting to learn more), what is the security flaw that is opened up when changing this value in sendmail?
If the sendmail server is configured to only allow certain clients (IPs) relay permissions, and require others to authenticate to use it if they're not in the IP list, what can happen?
If you wish to email me off list to discuss this, feel free to.



[ Reply to This | # ]
Re: Why not just change sendmail?
Authored by: vonleigh on May 05, '02 08:46:11PM

Hello,

Have you really gotten authentication installed under OS X? I was looking through the web to see what was involved in getting SMTP authentication and it's not a trivial task.

First you need to compile sendmail from source, to do this you need to have also a user created "smmsp". Then you need to get a site.config.m4 (which I have no idea how to create or modify for my needs). Update the config files, add some cronjobs. After all this you have to figure out how the heck to compile Cyrus SASL (which seems to need some compile tweaks to work, hopefully someone on fink will get it working).

So if you did get smtp-auth to work, how about a friendly tutorial ;)


Vonleigh



[ Reply to This | # ]
Re: Why not just change sendmail?
Authored by: saint.duo on May 05, '02 09:11:22PM
Heh, I wish I could get authentication working. That would save me a few headaches. I just know that it is possible. Right now, I'm using IP addresses to restrict usage.

[ Reply to This | # ]
Daily Maintenance Script error
Authored by: Jacques on May 06, '02 09:42:06AM

I've noticed when I run MacJanitor for the daily maintenance script, the log always records some kind of permission error when it goes through "mail:". Is this post describing it, the writable group issue?

If I don't use sendmail, does this daily script error even matter?

Thanks,
Jacques



[ Reply to This | # ]
Daily Maintenance Script error
Authored by: imacusr on May 06, '02 07:44:08PM
If it looks like this:
/etc/mail/sendmail.cf: line 81: fileclass: cannot open /etc/mail/local-host-names: Group writable directory
then that's the problem. If you aren't running a mail server (or forwarding your daily log output to your OS X mail account), you can ignore the error.

[ Reply to This | # ]
Do Blame Sendmail
Authored by: eo on May 07, '02 12:28:03PM
Why not use a better MTA like qmail? Have not tried this yet under OSX, but if I had to run a mail server on a Mac it would be my first choice.

[ Reply to This | # ]
Do Blame Sendmail
Authored by: jpbjpbjpb on May 08, '02 05:04:31PM

I agree, running something else (I like postfix) is in the end, a better solution. I just got tired of seeing the same question posted over and over on mailing lists.

I'll still see it, but at least now I can just paste in an url and be done.



[ Reply to This | # ]