[CentOS] setuid or other ideas

Tue Oct 15 16:54:09 UTC 2013
Gregory P. Ennis <PoMec at PoMec.net>

On 10/14/2013 02:31 PM, Gregory P. Ennis wrote:
> Everyone,
>
> I am working on a Centos 5.9 system.  I have an need to be able to
> activate a piece of software from /etc/smrsh that is activated when
> sendmail delivers the e-mail to this piece of software.  I would like
> this piece of software to take on the user and group identities that are
> different than 'mail' which is what happens now.  I want to use a user
> and group that is not root), so that the piece of software will be able
> to write (concatenate) to a file.
>
> I have never used setuid, but it appears that this will only allow a
> piece of software to be set to root.  I really do not want to give that
> kind of privilege to this piece of software.
>
> Any ideas?

I've done lots of operations from /etc/smrsh under sendmail. I can't say 
I've ever used setuid for this type of work; it may well suffice. Now in 
my case with sendmail, the scripts run as the user receiving the email 
locally, so I don't need to do any of the below. I simply define the 
account that I want to run the script as the recipient of the message 
and it's all done.

I'd suggest to run sudo and make an entry in /etc/sudoers. You want to 
be paranoid around any publicly visible service like email but an entry 
like this might work in /etc/sudoers:

mail    ALL=(user2) NOPASSWD: /usr/local/script.to.run.sh
Defaults:mail !requiretty

Again, I'm not sure why you are seeing this run as the "mail" user 
unless that is the name of the local account, sendmail runs these kinds 
of scripts as the user receiving the messages. In which case, if my user 
was "taxinfo" it would look like

taxinfo    ALL=(user2) NOPASSWD: /usr/local/script.to.run.sh
Defaults:taxinfo !requiretty

Note that the last line (Defaults...)  is probably needed because 
there's not an actual terminal involved when processing a background 
script. Try without and see if it works. Then, in /etc/smrsh/received.sh 
you have

#! /bin/sh
/usr/bin/sudo -u taxinfo /usr/local/script.to.run.sh;


And in your .forward file: (don't forget to chmod 600 this file)
| /etc/smrsh/received.sh

Good luck!
-----------------------------------------------------------------------

Ben,

I was using an e-mail aliase that did not have a user account which
becomes the 'mail' account when any data is stored or accessed by a
piece of software that is activated in /etc/smrsh.   However, I really
like  you suggestion.  I should have thought about creating a user
account and then aliasing the e-mail to that account.  I will not have
the opportunity to play with this idea until the weekend; thank you very
much!!!!

Greg
_______________________________________________
CentOS mailing list
CentOS at centos.org
http://lists.centos.org/mailman/listinfo/centos