Learning the Mac OS X Terminal, Part 3
Pages: 1, 2, 3

Eliminating sendmail Permissions Errors

As your remember, we needed to change the permissions for the root directory to get sendmail to work. While in most cases this does work, it’s really just a workaround that comes with a few of its own trade-offs. For one, some Apple updaters will revert the permissions, so you’ll need to chmod again to get sendmail back on track.

Secondly, and more importantly, there's a reason why Apple wants the root directory to be group-writable. Many Classic installer applications (and even some native ones) are programmed to place items in the root directory, and unless you’ve given these applications admin privileges to do this, they just might choke during an installation. Apple’s workaround for this possibility, then, is to keep the root directory group-writable.

Of course, that causes problems for sendmail, which requires these permissions for security reasons. At this point, then, you might feel stuck between a rock and a hard place. But wouldn’t it be great if you could just tell sendmail (as Ben Franklin might), "Hey, I’m willing to give up a little security if you just give me the liberty to keep my permissions!"

Previously in the Series Learning the Terminal in Jaguar, Part 3 Learning the Terminal in Jaguar, Part 2 Learning the Terminal in Jaguar, Part 1 Learning the Mac OS X Terminal, Part 5

In fact, sendmail allows you to set just that option by adding a single line to its configuration file. This is from the sendmail documentation:

"You may have to tweak your environment to make it safer for sendmail to run. If you find that some of the safeties in sendmail are too restrictive for your environment, they can be turned off by setting the option DontBlameSendmail. The option is appropriately named as sendmail is not to be blamed for problems resulting from unsafe permissions on directories and files."

As long as you’re using sendmail as described in the tutorial and are the primary user of the machine, the security risk is small in setting this option. If, however, you aren’t able to control access to your machine either physically or remotely, and you are compromised, please don’t blame me either ;-)

So if you’re ready to go, the file you need to edit is /etc/mail/sendmail.cf. You’ll first want to make a backup. Since the /etc/mail directory is only root-writable, you’ll need sudo:

sudo cp -p sendmail.cf sendmail.cf.bak

Note the use of the -p option flag in this command line, which preserves the permissions settings of the original in the copy of the file. This will make things a little easier, should you need to quickly restore the file.

You can then edit this file using pico, as you have with others. Since sendmail.cf is only writable by root, you’ll need to use sudo here as well.

sudo pico /etc/mail/sendmail.cf

This file is over 1,200 lines long and might be intimidating, but since you’ll just be adding a single line near the top and then getting the heck out, you should have nothing to worry about.

The line you’re looking for is a commented-out "DonBlameSendmail" line about 70 lines down from the top. The quickest way to get there in pico is by pressing Contol + W, entering "DontBlame", and pressing Return. You should then see these lines:

# level 9 config file format
V9/Berkeley

# override file safeties - setting this option compromises system security,
# addressing the actual file configuration problem is preferred
# need to set this before any file actions are encountered in the cf file
#O DontBlameSendmail=safe   
# default LDAP map specification

Next, add a new line after the found line and enter (or paste in) this line:

O DontBlameSendmail=GroupWritableDirPathSafe 

When you’re done, the lines should look like this:

# override file safeties - setting this option compromises system security,
# addressing the actual file configuration problem is preferred
# need to set this before any file actions are encountered in the cf file
#O DontBlameSendmail=safe   
O DontBlameSendmail=GroupWritableDirPathSafe
# default LDAP map specification

As usual, press Control + O to save the file, Return to confirm the name, and Control + X to exit pico. You can now reset the root directory’s permissions to the factory default with this command:

[localhost:/etc/mail] chris% sudo chmod g+w /

If everything went well, sendmail will in fact send its mail the next time it’s beckoned, even with a group-writable root directory.

If you’re still having problems with anything, make sure to look at the TalkBack sections for all parts of this tutorial, where readers and I have covered most of the common problems and made some corrections.

Also, if you would like to learn lots more about cron, here’s another tutorial for you.

Now that your feet (or even your knees) are wet working with Terminal and Unix, you have an entire ocean left to explore. I hope this tutorial has given you the confidence to dive in. There are other articles here on the Mac DevCenter you should now be ready for, as well as plenty more around the Internet.

I also plan to have some more of my own articles in the near future, so feel free to make any requests in the TalkBacks. See you there!

Special thanks to Fred Coffman for his help with this article.

Chris Stone is a Senior Macintosh Systems Administrator for O'Reilly, coauthor of Mac OS X in a Nutshell and contributing author to Mac OS X: The Missing Manual, which provides over 40 pages about the Mac OS X Terminal.

---

Return to the Mac DevCenter.