Re: [vps-mail] On the subject of permissions, mail & SA

[Scott Wiersdorf <scottw@xxxxxxxxxxxx>]

On Mon, Apr 05, 2004 at 03:55:06PM -0700, Abigail Marshall wrote:
> SW> The essence of the bug is that if you're going to do
> SW> centralized logging (e.g., /var/log/procmail.log), you
> SW> shouldn't DROPPRIVS. Doing what Abigail has done with
> SW> spamc (adding "-u nobody" to the command-line) will work
> SW> around this; it will run spamc with lower privileges
> SW> while still letting you write to a centralized log file.
> 
> CLARIFICATION: sa automatically runs itself as "nobody" so
> you don't have to change the command line.  What you DO have
> to do is add "nobody" as a privileged group to the directory
> where you store the common files (like Bayes):
> 
> i.e.:
> 
> % chgrp nobody /path/to/bayes/directory
> 
> It is important that the x bit be set on the directory
> user/group privileges:
> 
> rwxrwx--- or 770

Another clarification:

The original question was about procmail logs (not SA files), which
when invoked from the global procmailrc file are run either as root
(before DROPPRIVS=yes) or as the recipient user (after DROPPRIVS=yes).

Even if you're invoking sa with the "-u nobody" flag (yes I know it
does this in the absence of anything else if procmail is still running
as root, but making it explicit prevents future SA changes from
ruining your system and makes it obvious what's going on), procmail
is still running as root (which solves the original question of how
to write to a root-owned log file).

Scott
-- 
Scott Wiersdorf
scottw@xxxxxxxxxxxx
======================================================================
This is <vps-mail@xxxxxxxxxxxx>       <http://www.perlcode.org/lists/>
Before posting a question, please search the archives (see above URL).