A Useful Table

Table 10-1 shows recommended permissions and ownerships.

Recommended Permissions

Table 10-1 shows the recommended ownerships and permissions for all the files and directories in the sendmail system. The path components will vary depending on the vendor version of sendmail you are running. For example, while we might show the /usr/sbin/sendmail path, your site might use /usr/lib/sendmail, or even /usr/lib/mail/sendmail.

In the “Owner” column of Table 10-1, the owner is indicated with a root, a T, an R, or some combination thereof. A T means the owner can be the user listed with the TrustedUser option (24.9.112[3ed]). An R means the owner must be the one specified by the RunAsUser option (24.9.94[3ed]) if that option was specified. We show :group when the group is important.

Table 10-1. Recommended permissions for V8.12 and above

Path

Type

Owner

Octal mode

ls(1) mode

/

Directory

root

0755

drwxr-xr-x

/usr

Directory

root

0755

drwxr-xr-x

/usr/sbin[a]

Directory

root

0755

drwxr-xr-x

/usr/sbin/sendmail

File

root:smmsp

2555

-r-xr-sr-x [b]

/etc

Directory

root

0755

drwxr-xr-x

/etc/mail

Directory

root,T

0755

drwxr-xr-x

/etc/mail/sendmail.cf

File

root,T

0644 or 0640

-rw-r--r--

/etc/mail/statistics

File

root,T,R

0600

-rw-------

/etc/mail/helpfile

File

root,T

0444

-r--r--r--

/etc/mail/aliases

File

root,T

0640

-rw-r-----

/etc/mail/aliases.pag

File

root,T,R

0640

-rw-r-----

/etc/mail/aliases.dir

File

root,T,R

0640

-rw-r-----

/etc/mail/aliases.db

File

root,T,R

0640

-rw-r-----

F/path[c]

Directory

root,T

0755

drwxr-xr-x

/var

Directory

root

0755

drwxr-xr-x

/var/spool

Directory

root

0755

drwxr-xr-x

/var/spool/mqueue

Directory

root,R

0700[d]

drwx------

/var/spool/clientmqueue

Directory

smmsp:smmsp

0770

drwxrwx---

:include:/path

Directories

root

0755

drwxr-xr-x

:include:/path/list

File

n/a

0644

-rw-r--r--

[a] The sendmail program sometimes lives in /usr/lib or in some other directory. If so, adjust this path accordingly.

[b] As of V8.12, sendmail is no longer set-user-id root, but is instead set-group-id smmsp or the like, and sendmail is only root when it is run by root. On some systems, older versions of sendmail might need to be set-group-id kmem for the load average to be checked.

[c] The F configuration command reads a class from a file.

[d] CERT (Computing Emergency Response Team) and the sendmail document doc/op/op.me recommend that the queue directories be mode 0700 to prevent potential security breaches.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
54.198.146.13