On 17 Jan 1996 I wrote:
>Hi,
>I am new to sendmail and have setup an NFS mounted mail directory:
>/var/spool/mail/.... shared between a number of Dec Alpha workstations NFS
>mounting the directory so anyone on any machine can get to their mail. The
>only problem I am having is for any mail sent to root, where I get a
>protection problem when mail tries to open the root mail file. I have found
>that if I set the root files chmod to o+rw it works but it is not secure. I
>think that the mail deamon on the mail source machine which has root
>ownership cannot open the root mail file on the NFS exporting machine. Can
>another suggest a method of correcting the protection of the file or maybe
a
>better way to do what I am doing.
Thanks fo all who responded as follows:
*** Solution chosen from all the advise:
In /etc/exports file on mail directory server machine add line:
/var/spool/mail -root=0,nosuid,nodev <nodenames of clients separated by
spaces>
Summary of respones follow:
----------------------------------------------------------------------------
-----------------------------------------------
You need to export /var/spool/mail with -root=0 which basically allows
root on other machines to access files owned by root on the NFS
server. This can be a security hole and you should make sure that you
export /var/spool/mail with nosuid, nodev to restrict the possible
security violations. Normally root on clients is mapped to user nobody
on the server (uid = -1).
Ciao,
Arrigo
--
Arrigo Triulzi <arrigo_at_lpac.ac.uk> - +44-171-775-3247
London Parallel Applications Centre - London E1 4NS - UK
----------------------------------------------------------------------------
-----------------------------------------------
does /usr/sbin/sendmail has s bit ? if not, set it and re run it.
murat.
*** files protection bits had s bit set already. Thanks.
Murat Balci UNIX sys. Admin
s-mail : Ege Universitesi B.A.U.M - Bornova, IZMIR, TURKIYE.
e-mail : balci_at_bornova.ege.edu.tr Phone :+(90)(232)3881080-253
----------------------------------------------------------------------------
-----------------------------------------------
As far as I know, on NFS mounted directories, the root on the NFS client
machine does not have the same root rights as the root on NFS server
machine. You have to define this in the exports file on NFS server so that
root on NFS client machine has the same rights with the root on NFS server
machine.
Hope this helps.. -SNK
*
* Suleyman Nazif Kutlu
* Internetwork Administrator
* Ege University Network Administration Group
* Izmir, TURKEY
* E-Mail: Suleyman.Nazif.Kutlu_at_ege.edu.tr
----------------------------------------------------------------------------
-----------------------------------------------
We only allow mail delivery by the machine to which the spool directory
is local. That, of course, solves the problem. It also solves some
timing problems with delivery which exist if more than one machine is
delivering mail into a single spool area. I believe that this is a
recommended configuration.
Sheila Hollenbaugh
----------------------------------------------------------------------------
-----------------------------------------------
You should study the sendmail FAQ and related material. Your problem is
that you don't export /var/spool/mail with -root=0 (in /etc/exports), so
local
roots get mapped to nobody. However, as you'll see from the FAQ, it's a
generally bad idea to nfs-mount /var/spool/mail -- try POP or IMAP instead.
Simon Tardell, voice +46 8 162688 fax +46 8 347817
Fysikum, Stockholms universitet simon_at_physto.se, tardell_at_particle.kth.se
----------------------------------------------------------------------------
-----------------------------------------------
Check out the exports man page. You have to export with the 'root=0'
options,
otherwise root on a remote machine is treated as nobody.
Gyula
----------------------------------------------------------------------------
-----------------------------------------------
root usually does not have access as root on an NFS mounted partition unless
the system exporting the partition explicitly says root has access as root
(it's usually done as "nobody").
Mike Iglesias
----------------------------------------------------------------------------
-----------------------------------------------
Either export the directory with root access (see the man pages), or,
better yet, make an alias on each machine from root to a real person
(the manager).
-Phil Farrell, Computer Systems Manager
Stanford University School of Earth Sciences
farrell_at_pangea.stanford.edu
----------------------------------------------------------------------------
-----------------------------------------------
Root is a special case with NFS. Unless you explicitely specify root access
to a client, any uid 0 calls (root) will be treated as 'nobody' (uid -2).
So
while uid 0 owns the file, uid -2 is trying to write to it.
If you need root to be able to receive mail on all machines, you have to
state root access in the /etc/exports file.
Mike Matthews, Mike_Matthews_at_sgate.com (NeXTmail accepted)
----------------------------------------------------------------------------
-----------------------------------------------
Thanks to all who responded.
Regards,
Phil Pidgeon
ppidgeon_at_omc.otis.utc.com
Received on Fri Jan 19 1996 - 06:33:39 NZDT