Milter-greylist

wrote on Wed, 29 Mar 2006 00:02:24 +0200:

> This is the offending code (milter-greylist.c): 

Ah, uh, oh, great! I didn't ever consider this is in milter-greylist code. 
I thought that is a general Linux message and something must be 
misconfigured. Just what?

>  
> #ifdef HAVE_INITGROUPS 
>                if (initgroups(conf.c_user, pw->pw_gid) != 0) { 
>                        syslog(LOG_ERR, "%s: cannot change " 
>                            "supplementary groups: %s\n", 
>                            argv[0], strerror(errno)); 
>                        exit(EX_OSERR); 
>                } 
> #endif 

Question: is it necessary at all? Isn't the first group sufficient? Well, 
probably a dumb question, but I don't know much about this ;-)
I wonder why I'm the only one until now who hit this. I know there are 
several people here who use milter-greylist on CentOS and "smmsp" seems to 
be the default user for it.

>  
> Proposed fixes: 
> 1) Make it a warning and don't exit 
>  
> 2) Make a runtime configure test and undef HAVE_INITGROUPS if initgroups 
> gets a EPERM. But that would be tricky since configure is not run as 
> user smmsp. 

What about adding a configure switch --without-initgroups?

>  
> 3) Understand what's wrong here. What does your initgroup man page says 
> about EPERM?

Nothing that we not already know :-(

RETURN VALUE
       The  initgroups()  function  returns  0  on success, or -1 if an 
error occurs.

ERRORS
       EPERM  The calling process does not have sufficient privileges.

       ENOMEM Insufficient memory to allocate group information structure.

Here are the passwd and group lines if that helps to identify any 
irregularities.

smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin

smmsp:x:51:


Kai

-- 
Kai Sch\ufffdtzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com