1. Home
  2. Server Administration
  3. Sendmail

'-d44.4'' ''''

-d44.4
Trace safefile( ) Debug command-line switch

The V8 sendmail program tries to be extra careful about file permissions, and the key to checking them is the internal safefile( ) function. The -d44.4 debugging switch[4] prints the parameters passed to the safefile( ) function:

[4] There is no -d44.1 debugging information.

safefile(fname, uid=user-id, gid=group -id, flags=sff_flags, mode=wantmode)

Here, the file named fname is being checked to determine whether the user identified by the user-id, with the group group-id, is allowed to find or use the file. The range of checking is determined by the hexadecimal sff_flags, described in Table 16-12. Where a file's permissions are required, the mode printed in wantmode will be used.

Table 16-12. safefile( ) access flags

Mnemonic

Hex flag

Description

SFF_ANYFILE

0x00000000

No special restrictions

SFF_MUSTOWN

0x00000001

User must own this file

SFF_NOSLINK

0x00000002

File cannot be a symbolic link

SFF_ROOTOK

0x00000004

OK for root to own this file

SFF_RUNASREALUID

0x00000008

If no controlling user, run as real user-id

SFF_NOPATHCHECK

0x00000010

Don't bother checking directory path

SFF_SETUIDOK

0x00000020

Set-user-id files are OK

SFF_CREAT

0x00000040

OK to create file if necessary

SFF_REGONLY

0x00000080

Regular files only

SFF_SAFEDIRPATH

0x00000100

No writable directories (also check owner)

SFF_NOHLINK

0x00000200

File cannot have hard links

SFF_NOWLINK

0x00000400

Links only in nonwritable directories

SFF_NOGWFILES

0x00000800

Disallow group-writable files

SFF_NOWWFILES

0x00001000

Disallow world-writable files

SFF_OPENASROOT

0x00002000

Open as root instead of real user

SFF_NOLOCK

0x00004000

Don't lock the file

SFF_NOGRFILES

0x00008000

Disallow group-readable files

SFF_NOWRFILES

0x00010000

Disallow world-readable files

SFF_NOTEXCL

0x00020000

Creates don't need to be exclusive

SFF_EXECOK

0x00040000

Executable files are OK

If both the SFF_NOPATHCHECK flag and SFF_SAFEDIRPATH flags are clear (are 0), sendmail examines each component of the path leading to the file. If any component of the path is rejected, the -d44.4 debugging switch causes sendmail to print: 

[dir fname]  reason for the rejection here

A path component can fail because stat(2) failed. If the user-id is 0 for root, a warning is logged if a component is found to be group- or world-writable. For example: 

hash map "Alias0": unsafe map file /etc/mail/aliases.db: World-writable directory

For each component in the path, safefile( ) checks to verify that this user has permission to search the directory. If the SFF_ROOTOK flag is not set (is clear), root (user-id 0) access is special-cased in that all directory components must be world-searchable.

Otherwise, the path component is accepted if it is owned by the user-id and has the user search bit set, or if its group is the same as group-id and has the group search bit set. If NO_GROUP_SET is undefined when sendmail is compiled (NO_GROUP_SET) and the DontInitGroups option (DontInitGroups) is not set, each group to which user-id belongs is also checked. Otherwise, the directory must be world-searchable.

If the fname could not be checked with stat(2), the -d44.4 debugging switch causes the reason to be printed: 

 reason for failure here

If the file does not exist, it might need to be created. If so, sendmail checks to be sure that the user-id has write permission. The result is printed with the -d44.4 debugging switch like this: 

[final dir fname uid user-id mode wantmode ]  error  here

If the file exists and if symbolic links are supported, the file is rejected if it is a symbolic link and if the SFF_NOSLINK flag is set. If the -d44.4 debugging switch is specified, this error is printed: 

[slink mode mode]    EPERM

If the SFF_REGONLY flag is set the file must be a regular file. If it is not, it is rejected, and -d44.4 causes the following to be printed: 

[non-reg mode mode]    EPERM

If wantmode has the write bits set, and the existing file has any execute bits set, the file is rejected and -d44.4 causes the following to be printed: 

[exec bits mode]    EPERM

If the file has more than one link, the file is rejected and -d44.4 causes the following to be printed: 

[link count nlinks]    EPERM

If the SFF_SETUIDOK flag is specified, if SUID_ROOT_FILES_OK (SUID_ROOT_FILES_OK) was defined when sendmail was compiled,[5] if the file exists, if it has the set-user-id bit set in the mode but no execute bits set in the mode, and if it is not owned by root, sendmail performs subsequent checks under the set-user-id and set-group-id identities of the existing file. A similar process occurs with the set-group-id bit. Sendmail then prints:

[5] Note that set-user-id root files are permitted if sendmail was compiled with SUID_ROOT_FILES_OK defined, but we highly recommend against that definition.

[uid new_uid, stat filemode, mode wantmode ]

If access is finally allowed, sendmail concludes with: 

OK

Otherwise, it concludes with:

EACCES


    		Preface
    		Chapter 1. Some Basics
    		Part I: Build and Install
    		Part II: Administration
    		Chapter 6. Tune Performance
    		Chapter 7. How to Handle spam
    		Chapter 8. Test Rule Sets with -bt
    		Chapter 9. DNS and sendmail
    		Chapter 10. Maintain Security with sendmail
    		Chapter 11. Manage the Queue
    		Chapter 12. Maintain Aliases
    		Chapter 13. Mailing Lists and ~/.forward
    		Chapter 14. Signals, Transactions, and Syslog
    		Chapter 15. The sendmail Command Line
    		Chapter 16. Debug sendmail with -d
    		16.1 The Syntax of -d
    		16.2 The Behavior of -d
    		16.3 Interpret the Output
    		16.4 Table of All -d Categories
    		16.5 Pitfalls
    		16.6 Reference for -d in Numerical Order
    		'-d0.1'' ''''
    		''-d0.4'' '''
    		'-d0.10'' ''''
    		'-d0.12'' ''''
    		'-d0.13'' ''''
    		'-d0.15'' ''''
    		'-d0.20'' ''''
    		'-d2.1'' ''''
    		'-d2.9'' ''''
    		'-d4.80'' ''''
    		'-d6.1'' ''''
    		'-d8.1'' ''''
    		'-d8.2'' ''''
    		'-d8.3'' ''''
    		'-d8.5'' ''''
    		'-d8.7'' ''''
    		'-d8.8'' ''''
    		'-d11.1'' ''''
    		'-d11.2'' ''''
    		'-d12.1'' ''''
    		'-d13.1'' ''''
    		'-d20.1'' ''''
    		'-d21.1'' ''''
    		'-d21.2'' ''''
    		'-d22.1'' ''''
    		'-d22.11'' ''''
    		'-d22.12'' ''''
    		'-d25.1'' ''''
    		'-d26.1'' ''''
    		'-d27.1'' ''''
    		'-d27.2'' ''''
    		'-d27.3'' ''''
    		'-d27.4'' ''''
    		'-d27.5'' ''''
    		'-d27.8'' ''''
    		'-d27.9'' ''''
    		'-d28.1'' ''''
    		'-d29.1'' ''''
    		'-d29.4'' ''''
    		'-d31.2'' ''''
    		'-d34.1'' ''''
    		'-d34.11'' ''''
    		'-d35.9'' ''''
    		'-d37.1'' ''''
    		'-d37.8'' ''''
    		'-d38.2'' ''''
    		'-d38.3'' ''''
    		'-d38.4'' ''''
    		'-d38.9'' ''''
    		'-d38.10'' ''''
    		'-d38.12'' ''''
    		'-d38.19'' ''''
    		'-d38.20'' ''''
    		'-d41.1'' ''''
    		'-d44.4'' ''''
    		'-d44.5'' ''''
    		'-d48.2'' ''''
    		'-d49.1'' ''''
    		'-d52.1'' ''''
    		'-d52.100'' ''''
    		'-d60.1'' ''''
    		''-d99.100'' '''
    		Part III: The Configuration File
    		Part IV: Appendixes
    		Bibliography