Hi Frank,
Frank Bax wrote:
>
> On Satrurday after lunch, I read the relavent chapters in O'Reilly's
> Managing Mailing lists, after reading the SENDMAIL and MAJORDOMO FAQ's
> during last week. Then Saturday afternoon was spent install and
> configuring the system. I had a late dinner, but the job got done. It was
> not as bad as I thought it would be after reading the FAQ's.
>
> Today, after reading Daniel's comments below, I went back to the FAQ's.
>
> 1) I can find no reference to the Majordomo 'section' in sendmail FAQ.
> The only mention I see is question 3.32 (more on that later).
I don't believe I referred to a section of the FAQ, but I think 3.32 still
qualifies.
>
> 2) The O'Reilly book presented group 'daemon' and 'majordom' and pretty
> much equal.
Sendmail used to run as daemon on most systems too. Now you see it running
as it's own group "mail
" in the majority of installations.
>
> 3) I cannot find the reference in sendmail FAQ to group daemon being a bad
> idea.
I guess this is more of an interpretation than a fact. I quote:
Now the differences that make this work that may not be the same as instructed by the majordomo instructions:
1.Put the majordomo.aliases file in /etc, not in the majordomo install directory (/usr/local/lib/majordomo).
2.Make the permissions on /usr/local/lib/majordomo 0751, not 0775.
3.Make the permissions on /usr/local/lib/majordomo/Log 0664, owned by majordom, group majordom.
4./usr/local/lib/majordomo/lists is mode 0755, owner majordom, group majordom.
5.The permissions/owners for the lists should be as shown above. These permissions/ownership allow majordom to continue to manage the lists.
End quote.
>
> 4) Sendmail 3.32 and Majordomo 4.12
> These two FAQ questions present different values for DontBlameSendmail.
> They both say make list directories *not* group-writable.
> Sendmail's example has group 'mojordom', but neither one mentions the issue
> specifically.
This is purely a matter of your local security policy. Sendmail is inherantly
insecure, which is part of the reasoning behind the name of the value that you
open up by changing "don't blame sendmail".
>
> I'm using DontBlameSendmail=safe, group 'daemon' and NOT group-writable
> list directories and everything appears to be working?
>
> SO, I'm wondering what's the issue with group 'majordom' or 'daemon'?
Again, security. Exposing a majordom[o] group is less of a security
risk than exposing daemon.
The bottom line, is if you are comfortable with your settings and the package
is working, let your security guys deal with the rest of it. This area is
outside the realm of my expertise, but I am much more comfortable providing
the security a program wants rather than disabling it.
Dan Liston
>
> Frank
>
> At 01:46 AM 6/8/01 -0500, you wrote:
> >Hi,
> >
> >".d.z.a." wrote:
> >>
> >> hi tehre, thanks for all the help so far...i still have problems with two
> >> things...
> >>
> >> 1) Posting to my mailing list gives me an error
> >
> >This error is from sendmail. Did you read the sendmail FAQ and search on
> >majordomo? It is a very good "how-to" for setting up majordomo with
> sendmail.
> >You could also check the archives here and search on "Group writable
> directory".
> >This has been answered many times, or it would not be in the FAQ. Yes, it is
> >in the majordomo FAQ too. You need to chmod go-w on all the directories
> in the
> >tree leading to /usr/bin/majordomo-1.94.5/lists/.
> >
> >>
> >> ----- Transcript of session follows -----
> >> 550 5.2.4 :include:/usr/bin/majordomo-1.94.5/lists/maptivist... Cannot open
> >> /usr/bin/majordomo-1.94.5/lists/maptivist: Group writable directory
> >>
> >> 2) Unsubscribing gives me an error as well...
> >
> >Look at (read) the sendmail FAQ regarding majordomo. It says setting up
> >majordomo with a group of daemon is a bad idea. Just as bad as setting it
> >up as group mail. I think the fix for question #1 above will solve this too.
> >
> >>
> >> it seems that for some reason the mailing list files such as <list>.new is
> >> being created by id mail grpid mail and of course the wrapper etc. being
> >> group daemon only cant access anything written and owned by id mail group
> >> mail......?
> >>
> >> also to get majorodmo working in the frst place i had to add mail to group
> >> daemon ????
> >>
> >> i dunno??? anyone able to shed some light on this?
> >
> >
Follow-Ups:
References:
|
|
