Re: 2.8.0 and newly strict checking

From: Doug Barton <>
Date: Wed, 06 Mar 2013 00:48:20 -0800

On 03/05/2013 11:32 PM, Murray S. Kucherawy wrote:
> The only one of those that matters is KeyFile, which tells it what file
> to open. The rest of those don't affect permissions checking. I
> presume you're starting it with "su opendkim ...", since UserId is missing.
> The patch I sent earlier will show what values are being queried from
> the filesystem, and from /etc/passwd and /etc/group, via syslog.
> Running that while things are back in your failing state might shed some
> light on what's going on that the code didn't anticipate.

I'm starting it with -u, which seems to be the issue. I couldn't get it
to fail with the group problem again, however when I changed the
ownership of the file to opendkim, I get this from your patch:

opendkim: path /var/db/opendkim/, uid 1002, gid 6,
mode 00100400, me 0
opendkim: - regular file
opendkim: - foreign owner

Switching file ownership back to root made it work again.

I tried very hard to only change one thing at a time when I was testing
previously, nevertheless it seems like the group thing may have been a
red herring. If that's the case I'm sorry for wasting your time on it.
OTOH, I put the wheel group back on the directory and file, and it still
works as long as the file is owned by root ... which is a configuration
that I know I tested at one point. :-/

In any case, thanks for your help. If I may, something like what you
sent me, perhaps hidden under a debug flag, would be a useful addition
to the base. While I applaud the desire to make the thing more secure
I'm not exactly new to system administration and I still managed to foul
it up pretty royally. :)

Received on Wed Mar 06 2013 - 08:48:29 PST

This archive was generated by hypermail 2.3.0 : Wed Mar 06 2013 - 08:54:01 PST