On Sat, Mar 2, 2013 at 4:36 PM, Doug Barton <dougb_at_dougbarton.us> wrote:
> I read the prior thread on this in the archive, but I cannot see where I am
> getting tripped up:
>
> ls -ld / /var /var/db /var/db/opendkim
> drwxr-xr-x 17 root wheel 512 Feb 16 06:05 /
> drwxr-xr-x 27 root wheel 512 Feb 16 06:06 /var
> drwxr-xr-x 13 root wheel 512 Mar 3 00:06 /var/db
> drwx------ 2 root wheel 512 Mar 3 00:02 /var/db/opendkim
>
> ls -la /var/db/opendkim
> total 16
> drwx------ 2 root wheel 512 Mar 3 00:02 .
> drwxr-xr-x 13 root wheel 512 Mar 3 00:06 ..
> -r-------- 1 opendkim mail 887 Jan 6 06:34 dougbarton.us.private
> -r-------- 1 opendkim mail 329 Jan 6 06:34 dougbarton.us.txt
>
> id opendkim
> uid=1002(opendkim) gid=6(mail) groups=6(mail)
>
> And yet I still get this:
>
> opendkim -l -u opendkim -P /var/run/milteropendkim/pid -x
> /usr/local/etc/mail/opendkim.conf
> opendkim: /usr/local/etc/mail/opendkim.conf:
> /var/db/opendkim/dougbarton.us.private: key data is not secure
That doesn't make any sense to me either. I expect to see that this
will result in a bug being filed. As I stare at it waiting for that
aha moment, I see nothing wrong, it looks fine to me. I don't think
it would/should be tripping on the wheel group ownership because the
group write bit is not set anywhere.
> I also tried ownership of opendkim:mail for /var/db/opendkim, same result;
> as well as various of root:mail root:wheel, etc. for the .private file
> itself.
I would expect opendkim:* to achieve the same results.
root:* at mode 400 for those two files and/or the directory would
result in opendkim not being able to read the files since it runs as
the unprivileged user. I suspect you were testing if opendkim reads
them before the uid switch; it doesn't, it reads them after (I am
merely recalling a previous thread, perusing code or a Murray
confirmation would be the best way to verify that).
> I went back to 2.7.4 for now, help/suggestions welcome. :)
I did that too before I found my / was owned by non root user. I hope
your solution comes out to be a simple one as well.
...Todd
--
The total budget at all receivers for solving senders' problems is $0.
If you want them to accept your mail and manage it the way you want,
send it the way the spec says to. --John Levine
Received on Sun Mar 03 2013 - 04:30:57 PST