My security book says its a great idea to use the RunAsUser option in sendmail. It says you also have to change ownership on many files including /var/spool/mqueue, alias lists, and :include: files. UMMMMM.......Does someone know exactly what files need to be changed. Im afraid Ill mess something up once again. I have no idea what alias lists and :include: files are.

Thanks

accessable/executable by the RunAsUser (IIRC):
everything you get when executing "whereis sendmail" + /etc/mail + /var/spool/mqueue (+ /etc/aliases.db + /etc/aliases.db, IIRC) + change shell to smrsh, the restricted sendmail shell.

check out http://sendmail.net/000710securitytaxonomy.shtml and http://sendmail.net/000705securitygeneral.shtml

Why am i getting this error?
The permisssions look ok
My sendmail.cf has:
O RunAsUser=sendmail:mail

I created it via:
useradd sendmail -g mail
???

-rw-r--r-- 1 sendmail mail 424 Jan 8 18:37 access
-rw-r--r-- 1 sendmail mail 12288 Jan 10 18:54 access.db
-rw-r--r-- 1 sendmail mail 0 Mar 3 2001 domaintable
-rw-r--r-- 1 sendmail mail 12288 Jan 10 18:54 domaintable.db
-rw-r--r-- 1 sendmail mail 0 Jan 7 06:54 helpfile
-rw-r--r-- 1 sendmail mail 79 Jan 7 07:09 local-host-names
-rw-r--r-- 1 sendmail mail 0 Mar 3 2001 mailertable
-rw-r--r-- 1 sendmail mail 12288 Jan 10 18:54 mailertable.db
-rw-r--r-- 1 sendmail mail 611 Mar 3 2001 Makefile
-rw-r--r-- 1 sendmail mail 15 Jan 7 07:07 relay-domains
-rw-r--r-- 1 sendmail mail 2292 Jan 7 06:55 sendmail.mc
-rw-r--r-- 1 sendmail mail 127 Mar 3 2001 trusted-users
-rw-r--r-- 1 sendmail mail 0 Mar 3 2001 virtusertable
-rw-r--r-- 1 sendmail mail 12288 Jan 10 18:54 virtusertable.db

/etc/rc.d/init.d/sendmail start
Starting sendmail: makemap: error opening type hash map /etc/mail/virtusertable: Permission denied
makemap: error opening type hash map /etc/mail/access: Permission denied
makemap: error opening type hash map /etc/mail/domaintable: Permission denied
makemap: error opening type hash map /etc/mail/mailertable: Permission denied
[ OK ]

RunAsUser=<username>, IIRC, not RunAsUser=<username>:<group>

total 40
Same error when RunAsUser=sendmail

-rw----r-- 1 sendmail sendmail 424 Jan 8 18:37 access
-rw-r--r-- 1 sendmail sendmail 12288 Jan 12 15:04 access.db
-rw-r--r-- 1 sendmail sendmail 0 Mar 3 2001 domaintable
-rw-r--r-- 1 sendmail sendmail 12288 Jan 12 15:04 domaintable.db
-rw-r--r-- 1 sendmail sendmail 0 Jan 7 06:54 helpfile
-rw-r--r-- 1 sendmail sendmail 79 Jan 7 07:09 local-host-names
-rw-r--r-- 1 sendmail sendmail 0 Mar 3 2001 mailertable
-rw-r--r-- 1 sendmail sendmail 12288 Jan 12 15:04 mailertable.db
-rw-r--r-- 1 sendmail sendmail 611 Mar 3 2001 Makefile
-rw-r--r-- 1 sendmail sendmail 15 Jan 7 07:07 relay-domains
-rw-r--r-- 1 sendmail sendmail 2292 Jan 7 06:55 sendmail.mc
-rw-r--r-- 1 sendmail sendmail 127 Mar 3 2001 trusted-users
-rw-r--r-- 1 sendmail sendmail 0 Mar 3 2001 virtusertable
-rw-r--r-- 1 sendmail sendmail 12288 Jan 12 15:04 virtusertable.db

/etc/rc.d/init.d/sendmail start
Starting sendmail: makemap: error opening type hash map /etc/mail/virtusertable: Permission denied
makemap: error opening type hash map /etc/mail/access: Permission denied
makemap: error opening type hash map /etc/mail/domaintable: Permission denied
makemap: error opening type hash map /etc/mail/mailertable: Permission denied
[ OK ]

If the runasuser is sendmail and he owns these files, why am i getting these errors?
Thanks

can RunAsUser read/write /etc/aliases(.db)?

ls -l /etc/mail
-rw-r--r-- 1 sendmail sendmail 424 Jan 8 18:37 access
-rw-r--r-- 1 sendmail sendmail 12288 Jan 12 16:06 access.db
-rw-r--r-- 1 sendmail sendmail 0 Mar 3 2001 domaintable
-rw-r--r-- 1 sendmail sendmail 12288 Jan 12 16:06 domaintable.db
-rw-r--r-- 1 sendmail sendmail 0 Jan 7 06:54 helpfile
-rw-r--r-- 1 sendmail sendmail 79 Jan 7 07:09 local-host-names
-rw-r--r-- 1 sendmail sendmail 0 Mar 3 2001 mailertable
-rw-r--r-- 1 sendmail sendmail 12288 Jan 12 16:06 mailertable.db
-rw-r--r-- 1 sendmail sendmail 611 Mar 3 2001 Makefile
-rw-r--r-- 1 sendmail sendmail 15 Jan 7 07:07 relay-domains
-rw-r--r-- 1 sendmail sendmail 2292 Jan 7 06:55 sendmail.mc
-rw-r--r-- 1 sendmail sendmail 127 Mar 3 2001 trusted-users
-rw-r--r-- 1 sendmail sendmail 0 Mar 3 2001 virtusertable
-rw-r--r-- 1 sendmail sendmail 12288 Jan 12 16:06 virtusertable.db
ls -l /etc/aliases.db
-rw-r--r-- 1 sendmail sendmail 12288 Jan 12 16:06 /etc/aliases.db
ls -al /var/spool/mqueue
total 8
drwxr-xr-x 2 sendmail sendmail 4096 Jan 12 17:17 .
drwxr-xr-x 14 root root 4096 Jan 7 20:44 ..

whereis sendmail
sendmail: /usr/sbin/sendmail /etc/sendmail.cf /usr/lib/sendmail /usr/share/man/man8/sendmail.8.gz
ls -l /usr/sbin/sendmail
-r-sr-xr-x 1 sendmail sendmail 417828 Mar 3 2001 /usr/sbin/sendmail
ls -l /etc/sendmail.cf
-rw-r--r-- 1 sendmail sendmail 46454 Jan 13 09:28 /etc/sendmail.cf
ls -l /usr/lib/sendmail
lrwxrwxrwx 1 sendmail sendmail 16 Jan 7 01:41 /usr/lib/sendmail -> ../sbin/sendmail
ls -l /usr/share/man/man8/sendmail.8.gz
-rw-r--r-- 1 sendmail sendmail 6387 Mar 3 2001 /usr/share/man/man8/sendmail.8.gz

doesnt this look right? My concern is: Its says all maps and all :include: files must be readable. Am i missing something?
THanks so much

Left one out.
ls -l aliases
-rw-r--r-- 1 sendmail sendmail 1048 Mar 3 2001 aliases

chown sendmail.sendmail /var/lib/mailertable
also check your /var/log/mail(log) for failures.

/var/lib/mailertable doesnt exist.

LOG
Jan 13 12:02:03 myhost sendmail[1108]: NOQUEUE: SYSERR(root): drop_privileges: setuid(0) succeeded (when it should
not): Operation not permitted
Jan 13 12:02:03 myhost sendmail[1118]: starting daemon (8.11.2): SMTP+queueing@01:00:00
Jan 13 12:02:03 myhost sendmail[1118]: NOQUEUE: SYSERR(root): opendaemonsocket: daemon MTA: cannot bind: Permissio
n denied
Jan 13 12:02:03 myhost sendmail[1118]: daemon MTA: problem creating SMTP socket
Jan 13 12:02:03 myhost sendmail[1118]: NOQUEUE: SYSERR(root): opendaemonsocket: daemon MTA: server SMTP socket wed
ged: exiting

UHHHHHHHH and this means???????

Sendmail binary needs to bind to a socket < 1024, so it needs an UID that is allowed these privileges. Thats why the doc's handling say it uses the RunAsUser UID after binding to the socket, your sendmail binary is setuid sendmail, and not setuid root, and thats why the rest of the files need to be readable by the RunAsUser UID.

Btw, mailertable should exist somewhere, because it's needed by the makemap utility:
"find / -name mailertable -print" should show it.

I changed ownership of /usr/lib/sendmail and /usr/sbin/sendmail to root and still get same errors.

mailertable is located in /etc/mail and is owned by sendmail

Im not sure why im having so much problems. Im researching on the net and every single article assumes you know everything.
THanks

Ok. Ill just give a rundown of what I did to make use of the RunAsUser "feature". I already got the user "mail", I'm using Linuxconf to handle rendering sendmail.cf, and I've got my extra options in /etc/mail/mailconf/stdoptions.cf (the horror, the horror). Hope this checklist helps and I didnt forget anything essential.

1. Add lines to stdoptions.cf so they get processed (else use /etc/mail/sendmail.mc and use the proper m4 calls):
# Suid user
O RunAsUser=mail
# Cant write /var/run
O PidFile=/tmp/sendmail.pid
# Who owns files
O TrustedUser=mail
# Uid running mailer
# see CERT about sendmail buffer overflows.
O DefaultUser=mailnull
2. "mailconf --generatecf" or render with "m4 /etc/mail/sendmail.mc > /etc/sendmail.cf"
*note mailconf also does the "makemap -o hash etc etc" stuff.
3. "chown -R mail.mail /etc/mail; chown mail.mail /etc/aliase* /etc/sendmail* /var/spool/{mqueue,mail} /var/lib/mailertab*"
4. restart sendmail and check its logs.

This works for me

Thanks unSpawn. I did exactly what you posted and it worked. I was missing some of the sendmail.cf stuff.
One last question regarding this. Im using qpopper for pop3. Now that sendmail runs as user sendmail, qpopper has a problem. I can no longer send or receive mail via pop3. Im not sure if this is a config change on the sendmail side or the qpopper side. I have went through both configs and I cant figure this out. I have also searched and come up empty handed.
Maybe you know or can direct me to somewhere that i can search to figure this out.
Thanks as always.
Things that come simple to others is a true mofo for me.

First guess would be to check the qpopper log for errors, if none show up check the sendmail log, if none show up, start qpopper with the -d option and see if it adds debugging info to its log, (same for sendmail if its sendmail related ofcuz). If this doesn't do a thing check the permissions on where qpopper is sposed to write its dotlocks (mail spool), it expects "root.mail", where you just made it "sendmail.sendmail", so maybe we should make it "sendmail.mail", or "root.sendmail" and "chmod 0770 /var/mail" so its writable for owner and group. If this doesn't do a thing check the Qpopper manual/faq/website...

HTH somehow, plz report back any clues, ok, I'm no guru :-]