Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.mail.sendmail > #8236

Re: praliases file permission check

From Marco Moock <mm@dorfdsl.de>
Newsgroups comp.mail.sendmail
Subject Re: praliases file permission check
Date 2026-01-30 20:53 +0100
Organization A noiseless patient Spider
Message-ID <20260130205331.0b8b1ae5@ryz.dorfdsl.de> (permalink)
References <20260130125150.06f0bcd0@ryz.dorfdsl.de> <87343mj4j8.fsf@atr2.ath.cx>

Show all headers | View raw

On 30.01.2026 14:15 Uhr jayjwa wrote:

> Marco Moock <mm@dorfdsl.de> writes:
> 
> > I noticed that the praliases command only works if 
> > /etc/mail/aliases.db is globally readable.  
> On Slackware, all my .db are root-only, but some of the files that
> make them are world readable. Sendmail is using the .db files. 

That is interesting. Can you show the ls -la of the files?

What happens if you remove the world readability?
IIRC sendmail can use text-only files without the DBs, can you check
with strace if it falls back to this?

> > -rw-r--r-- 1 smmta smmsp 2165 30. Jan 12:17 /etc/mail/aliases.db  
> ls -l /etc/mail/{aliases,*.db}
> -rw-r----- 1 root root 12288 Nov 15  2024 /etc/mail/access.db
> -rw-r--r-- 1 root root   800 Oct 17  2023 /etc/mail/aliases
> -rw-r----- 1 root root 12288 Oct 17  2023 /etc/mail/aliases.db
> -rw-r----- 1 root root 12288 Mar 19  2022 /etc/mail/authinfo.db
> -rw-r----- 1 root root 12288 Apr 14  2022 /etc/mail/domaintable.db
> -rw-r----- 1 root root 12288 Apr 25  2024 /etc/mail/mailertable.db
> -rw-r----- 1 root root 12288 Apr 25  2024 /etc/mail/uudomain.db
> -rw-r----- 1 root root 12288 Jan  9  2018 /etc/mail/virtusertable.db
> 
> > exe="/usr/libexec/sendmail/praliases" subj=unconfined key="aliases"
> >  
> Sendmail in libexec? Debian sure does it weird.
> 
> > type=SYSCALL msg=audit(1769773585.836:438): arch=c000003e
> > syscall=257 success=yes exit=5 a0=ffffffffffffff9c a1=7fff4dace1f0
> > a2=0 a3=0 items=1 ppid=4200 pid=4203 auid=1000 uid=0 gid=0 euid=0
> > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="praliases"
> > exe="/usr/libexec/sendmail/praliases" subj=unconfined key="aliases"
> >
> > Which lets me assume the access is being done by root.
> >
> > root@deb-test:~# strace praliases 2>&1 |grep alias
> > execve("/usr/sbin/praliases", ["praliases"], 0x7ffde3b673e0 /* 11
> > vars */) = 0 newfstatat(AT_FDCWD, "/etc/mail/aliases.db",
> > {st_mode=S_IFREG|0640, st_size=2165, ...}, 0) = 0
> > newfstatat(AT_FDCWD, "/etc/mail/aliases.db", {st_mode=S_IFREG|0640,
> > st_size=2165, ...}, 0) = 0
> > write(2, "praliases: /etc/mail/aliases: op"..., 54praliases:
> > /etc/mail/aliases: open: Permission denied
> > root@deb-test:~# 
> >
> > What is the reason for that?  
> Is your praliases setuid/setgid to something? My user can't
> "praliases" but root can. 

m@deb-test:~$ ls -la /usr/libexec/sendmail/praliases
-rwxr-xr-x 1 root root 99600 26. Okt 02:00 /usr/libexec/sendmail/praliases
m@deb-test:~$ type /usr/libexec/sendmail/praliases
/usr/libexec/sendmail/praliases ist /usr/libexec/sendmail/praliases
m@deb-test:~$ file /usr/libexec/sendmail/praliases
/usr/libexec/sendmail/praliases: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=affe96eda415a14edfb53fde6eb52a4ece2f9473, for GNU/Linux 3.2.0, stripped
m@deb-test:~$ 

-- 
kind regards
Marco

Send spam to 1769778923muell@stinkedores.dorfdsl.de

Back to comp.mail.sendmail | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

praliases file permission check Marco Moock <mm@dorfdsl.de> - 2026-01-30 12:51 +0100
  Re: praliases file permission check jayjwa <jayjwa@atr2.ath.cx.invalid> - 2026-01-30 14:15 -0500
    Re: praliases file permission check Marco Moock <mm@dorfdsl.de> - 2026-01-30 20:53 +0100
      Re: praliases file permission check jayjwa <jayjwa@atr2.ath.cx.invalid> - 2026-01-31 11:26 -0500
        Re: praliases file permission check Marco Moock <mm@dorfdsl.de> - 2026-01-31 22:10 +0100
          Re: praliases file permission check Hugo Villeneuve-Lapointe <hugo_villap@email.invalid> - 2026-01-31 22:42 +0000
  Re: praliases file permission check Hugo Villeneuve-Lapointe <hugo_villap@email.invalid> - 2026-01-31 14:29 +0000
    Re: praliases file permission check kalevi@kolttonen.fi (Kalevi Kolttonen) - 2026-01-31 19:28 +0000
      Re: praliases file permission check Marco Moock <mm@dorfdsl.de> - 2026-01-31 22:06 +0100
        Re: praliases file permission check kalevi@kolttonen.fi (Kalevi Kolttonen) - 2026-01-31 23:24 +0000
          Re: praliases file permission check kalevi@kolttonen.fi (Kalevi Kolttonen) - 2026-01-31 23:30 +0000
    Re: praliases file permission check Hugo Villeneuve-Lapointe <hugo_villap@email.invalid> - 2026-01-31 22:55 +0000

csiph-web