1. Forum
  2. Usenet
  3. COMP.MAIL.SENDMAIL

  • key / crt permissions constantly

    From none@21:1/5 to All on Mon Jul 29 12:55:00 2024
    I don't really get why I am confronted with sendmail thinking it knows
    better how I should put permissions on my key and crt files.

    Why do I even get this error, while the permissions are just fine

    file /home/acme/test.cer unsafe: Permission denied

    -rw-r-----+ 1 acme acme 1972 Jul 29 00:10 test.cer
    and
    -rw-r--r--+ 1 acme acme 1972 Jul 29 00:10 test.cer
    and
    -rw-r--r--+ 1 acme root 1972 Jul 29 00:10 test.cer

    Besides that, who cares about certs, these are even distributed unsecurly.

    How can I turn of any permissions checks on key/crt files

    (I already have this
    define(`confDONT_BLAME_SENDMAIL', `groupreadablekeyfile')dnl )

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Marco Moock@21:1/5 to All on Mon Jul 29 14:10:35 2024
    On 29.07.2024 um 12:55 Uhr none wrote:

    I don't really get why I am confronted with sendmail thinking it
    knows better how I should put permissions on my key and crt files.

    Sometimes users have default permissions of o+r, which means other
    users on the system can read the stuff. For key files, this is really,
    really bad, so sendmail warns you.

    What is the message you receive in your case here?
    Doesn't the confDONT_BLAME_SENDMAIL stop emitting that error?

    --
    kind regards
    Marco

    Send spam to [email protected]

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From none@21:1/5 to All on Mon Jul 29 15:28:07 2024

    I don't really get why I am confronted with sendmail thinking it
    knows better how I should put permissions on my key and crt files.

    Sometimes users have default permissions of o+r, which means other
    users on the system can read the stuff. For key files, this is really,
    really bad, so sendmail warns you.

    What is the message you receive in your case here?
    Doesn't the confDONT_BLAME_SENDMAIL stop emitting that error?


    If I search on this, I only find this argument are there more options I
    can give it? I assume from this option name that it is only related to
    key files.
    define(`confDONT_BLAME_SENDMAIL', `groupreadablekeyfile')dnl

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From HQuest@21:1/5 to Marco Moock on Mon Jul 29 15:26:21 2024
    On Mon, 29 Jul 2024 12:10:35 +0000, Marco Moock wrote:

    Sometimes users have default permissions of o+r, which means other
    users on the system can read the stuff. For key files, this is really,
    really bad, so sendmail warns you.

    Might be bad but this is also a problem when you have multiple daemons
    running under different users/groups and they share one single
    certificate and key, hence the reason for a o+r file. Sure, one can copy
    those files everywhere on the filesystem and set up their permissions to
    fit the application, but is this copy everywhere really the best
    alternative?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Marco Moock@21:1/5 to All on Mon Jul 29 17:31:09 2024
    On 29.07.2024 um 15:28 Uhr none wrote:

    If I search on this, I only find this argument are there more options
    I can give it? I assume from this option name that it is only related
    to key files.
    define(`confDONT_BLAME_SENDMAIL', `groupreadablekeyfile')dnl

    define(`confDONT_BLAME_SENDMAIL', `GroupReadableKeyFile')

    Dunno if that is case-sensitive, maybe check that.

    --
    kind regards
    Marco

    Send spam to [email protected]

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to Marco Moock on Mon Jul 29 12:37:42 2024
    Marco Moock wrote:

    define(`confDONT_BLAME_SENDMAIL', `GroupReadableKeyFile')

    Dunno if that is case-sensitive, maybe check that.

    (currently) it's not (grep GroupReadableKeyFile *.[ch] won't
    even find a match in the source code).

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From none@21:1/5 to All on Mon Jul 29 19:58:59 2024
    :

    I don't really get why I am confronted with sendmail thinking it
    knows better how I should put permissions on my key and crt files.

    Sometimes users have default permissions of o+r, which means other
    users on the system can read the stuff. For key files, this is really,
    really bad, so sendmail warns you.


    Currently it is about the cert, which everyone can download remotely.

    If it was a warning I would not care, currently it stops using tls/ssl
    (a bit older sendmail instance, still need to update this distro)

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to none on Mon Jul 29 13:51:22 2024
    none wrote:

    -rw-r--r--+ 1 acme root 1972 Jul 29 00:10 test.cer

    Do you use that file as
    KeyFile
    File containing the private key for the certificate.

    Besides that, who cares about certs, these are even distributed unsecurly.

    The error isn't about a cert, it's about "the private key".

    (I already have this
    define(`confDONT_BLAME_SENDMAIL', `groupreadablekeyfile')dnl )

    A "private key" shouldn't be readable by everyone.

    If you need to "share" a private key between instances,
    use group permissions.


    --
    Note: please read the netiquette before posting. I will almost never
    reply to top-postings which include a full copy of the previous
    article(s) at the end because it's annoying, shows that the poster
    is too lazy to trim his article, and it's wasting the time of all readers.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From none@21:1/5 to All on Mon Jul 29 21:29:17 2024

    -rw-r--r--+ 1 acme root 1972 Jul 29 00:10 test.cer

    Do you use that file as
    KeyFile
    File containing the private key for the certificate.

    No is also the certificate (unless that changed in recent versions)

    Besides that, who cares about certs, these are even distributed unsecurly.

    The error isn't about a cert, it's about "the private key".

    No because I was only changing permissions on the cert (unless it is
    changed in newer distros) But I think I saw this behaviour also on
    newer. Basically I can imagine maybe giving a warning on the key being
    o+r but that also depends on parent dirs.
    I also don't get why the owner needs to be root.

    (I already have this
    define(`confDONT_BLAME_SENDMAIL', `groupreadablekeyfile')dnl )

    A "private key" shouldn't be readable by everyone.

    My private key and cert are separate files.

    If you need to "share" a private key between instances,
    use group permissions.


    Sendmail is reading keys/certs as root not? Before it drops privileges.

    Anyway I prefer to see something where it is guaranteed that key and
    cert are loaded and used no matter what. I don't think it is any
    applications business to force how permissions are set on key/crt files.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to none on Tue Jul 30 03:12:36 2024
    none wrote:

    No is also the certificate (unless that changed in recent versions)

    It's time to get some real information...
    What are the settings in your .cf file?

    egrep -i '^O *[^ ]*(Cert|Key)File' /etc/mail/*cf

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From none@21:1/5 to All on Wed Jul 31 22:47:21 2024
    egrep -i '^O *[^ ]*(Cert|Key)File'/etc/mail/*cf

    /etc/mail/sendmail.cf:O DontBlameSendmail=groupreadablekeyfile /etc/mail/sendmail.cf:O CACertFile=/etc/pki/tls/certs/ca-bundle.crt /etc/mail/sendmail.cf:O ServerCertFile=/home/acme/......cer /etc/mail/sendmail.cf:O ServerKeyFile=/home/acme/.......key

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to none on Thu Aug 1 02:31:14 2024
    none wrote:

    file /home/acme/test.cer unsafe: Permission denied

    Which command triggers this error?
    Please show the full command and the full logfile entry.
    What are the permission/owner/group of the involved directories
    ( / /home /home/acme )?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From none@21:1/5 to All on Thu Aug 1 11:32:39 2024
    file /home/acme/test.cer unsafe: Permission denied

    Which command triggers this error?
    Please show the full command and the full logfile entry.
    What are the permission/owner/group of the involved directories
    ( / /home /home/acme )?

    I think I should do this again with an el9 version, I don't want to
    waste anyone's time on details with something old.

    I was more thinking about a general topic where users can just turn
    these checks of and have sendmail just trust the groups / acls that it
    has been given.
    I don't think I have seen these checks with eg apache. This is more like
    a design question, wether or not this is the responsibility of the
    application or user.
    Even if you have o+w files, if they are in a parent folder with o-rwx it
    does not really matter.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)