Groups | Search | Server Info | Login | Register

Groups > comp.mail.sendmail > #8234

praliases file permission check

From Marco Moock <mm@dorfdsl.de>
Newsgroups comp.mail.sendmail
Subject praliases file permission check
Date 2026-01-30 12:51 +0100
Organization A noiseless patient Spider
Message-ID <20260130125150.06f0bcd0@ryz.dorfdsl.de> (permalink)

Show all headers | View raw

Hello!

I have a Debian unstable system to test.

I noticed that the praliases command only works if 
/etc/mail/aliases.db is globally readable.

-rw-r--r-- 1 smmta smmsp 2165 30. Jan 12:17 /etc/mail/aliases.db


I now used strace to track that down:

This is when it works (world readable):

root@deb-test:~# ls -la /etc/mail/aliases.db 
-rw-r--r-- 1 smmta smmsp 2165 30. Jan 12:17 /etc/mail/aliases.db
root@deb-test:~# strace praliases 2>&1 |grep alias
execve("/usr/sbin/praliases", ["praliases"], 0x7ffe430974f0 /* 11 vars */) = 0
newfstatat(AT_FDCWD, "/etc/mail/aliases.db", {st_mode=S_IFREG|0644, st_size=2165, ...}, 0) = 0
newfstatat(AT_FDCWD, "/etc/mail/aliases.db", {st_mode=S_IFREG|0644, st_size=2165, ...}, 0) = 0
openat(AT_FDCWD, "/etc/mail/aliases.db", O_RDONLY) = 4
openat(AT_FDCWD, "/etc/mail/aliases.db", O_RDONLY) = 5
root@deb-test:~# 

I've now used auditd to log the access:


----
time->Fri Jan 30 12:46:25 2026
type=PROCTITLE msg=audit(1769773585.832:436): proctitle="praliases"
type=PATH msg=audit(1769773585.832:436): item=0 name="/etc/mail/sendmail.cf" inode=784558 dev=fe:00 mode=0100644 ouid=0 ogid=104 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1769773585.832:436): cwd="/root"
type=SYSCALL msg=audit(1769773585.832:436): arch=c000003e syscall=257 success=yes exit=3 a0=ffffffffffffff9c a1=560e85b91e6a a2=0 a3=0 items=1 ppid=4200 pid=4203 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="praliases" exe="/usr/libexec/sendmail/praliases" subj=unconfined key="aliases"
----
time->Fri Jan 30 12:46:25 2026
type=PROCTITLE msg=audit(1769773585.836:437): proctitle="praliases"
type=PATH msg=audit(1769773585.836:437): item=0 name="/etc/mail/aliases.db" inode=783479 dev=fe:00 mode=0100644 ouid=101 ogid=104 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1769773585.836:437): cwd="/root"
type=SYSCALL msg=audit(1769773585.836:437): arch=c000003e syscall=257 success=yes exit=4 a0=ffffffffffffff9c a1=7fff4dacd100 a2=0 a3=0 items=1 ppid=4200 pid=4203 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="praliases" exe="/usr/libexec/sendmail/praliases" subj=unconfined key="aliases"
----
time->Fri Jan 30 12:46:25 2026
type=PROCTITLE msg=audit(1769773585.836:438): proctitle="praliases"
type=PATH msg=audit(1769773585.836:438): item=0 name="/etc/mail/aliases.db" inode=783479 dev=fe:00 mode=0100644 ouid=101 ogid=104 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1769773585.836:438): cwd="/root"
type=SYSCALL msg=audit(1769773585.836:438): arch=c000003e syscall=257
success=yes exit=5 a0=ffffffffffffff9c a1=7fff4dace1f0 a2=0 a3=0
items=1 ppid=4200 pid=4203 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="praliases"
exe="/usr/libexec/sendmail/praliases" subj=unconfined key="aliases"

Which lets me assume the access is being done by root.

root@deb-test:~# strace praliases 2>&1 |grep alias
execve("/usr/sbin/praliases", ["praliases"], 0x7ffde3b673e0 /* 11 vars */) = 0
newfstatat(AT_FDCWD, "/etc/mail/aliases.db", {st_mode=S_IFREG|0640, st_size=2165, ...}, 0) = 0
newfstatat(AT_FDCWD, "/etc/mail/aliases.db", {st_mode=S_IFREG|0640, st_size=2165, ...}, 0) = 0
write(2, "praliases: /etc/mail/aliases: op"..., 54praliases: /etc/mail/aliases: open: Permission denied
root@deb-test:~# 

What is the reason for that?

Which permissions does it want (I prefer only readable by the
daemon's users) and why?


-- 
kind regards
Marco

Send spam to 1769770110muell@stinkedores.dorfdsl.de

Back to comp.mail.sendmail | Previous | NextNext in thread | Find similar

Thread

praliases file permission check Marco Moock <mm@dorfdsl.de> - 2026-01-30 12:51 +0100
  Re: praliases file permission check jayjwa <jayjwa@atr2.ath.cx.invalid> - 2026-01-30 14:15 -0500
    Re: praliases file permission check Marco Moock <mm@dorfdsl.de> - 2026-01-30 20:53 +0100
      Re: praliases file permission check jayjwa <jayjwa@atr2.ath.cx.invalid> - 2026-01-31 11:26 -0500
        Re: praliases file permission check Marco Moock <mm@dorfdsl.de> - 2026-01-31 22:10 +0100
          Re: praliases file permission check Hugo Villeneuve-Lapointe <hugo_villap@email.invalid> - 2026-01-31 22:42 +0000
  Re: praliases file permission check Hugo Villeneuve-Lapointe <hugo_villap@email.invalid> - 2026-01-31 14:29 +0000
    Re: praliases file permission check kalevi@kolttonen.fi (Kalevi Kolttonen) - 2026-01-31 19:28 +0000
      Re: praliases file permission check Marco Moock <mm@dorfdsl.de> - 2026-01-31 22:06 +0100
        Re: praliases file permission check kalevi@kolttonen.fi (Kalevi Kolttonen) - 2026-01-31 23:24 +0000
          Re: praliases file permission check kalevi@kolttonen.fi (Kalevi Kolttonen) - 2026-01-31 23:30 +0000
    Re: praliases file permission check Hugo Villeneuve-Lapointe <hugo_villap@email.invalid> - 2026-01-31 22:55 +0000

csiph-web