Hello,
I had the same problem.
I am using Debian 7 Wheezy on a server (no GUI installed) and the
standard Xmail package from wheezy. PHP and Apache2 too are the wheezy
standard packages.
PHP configuration is correct, i.e. it has '/usr/sbin/sendmail -t -i'
defined.
I could send email via PHP or Perl scripts, if I started the scripts
manually from the shell as root. But a small testmail.php-Script started
with the rights of the webserver (web:webgroup) failed with permission
denied, it cannot access xmail spool directory.
Looking into this I found:
1) There is a sendmail drop in from xmail as described in the
documentation. /usr/sbin/sendmail is a symlink to a small shell script
xsendmail. The shell script ensures 2 environment variables are set and
calls the xmail sendmail program.
2) The drop in script /var/lib/xmail/sendmail/xsendmail is owned by
root:mail and has the setgid bit set.
xsendmail permissions: r-xr-s-r-x
That means that every user can use it (via symlink or directly) to send
email, it is executed as group 'mail'.
3) The drop in sendmail program /var/lib/xmail/sendmail is owned by
root:root and has no setgid/setuid bits set.
/var/lib/xmail/sendmail/sendmail permissions: rwxr-xr-x
I do not know if this intentional, and I am not sure, if exec-ing a
program by shell script (with setgid bits) should exec the program with
the same setgid bit, i.e. in the group mail in this case. I am not sure
about the rules here.
What I tried: Set the drop in sendmail
(/var/lib/xmail/sendmail/sendmail) to owner root:mail and set the setgid
bit, so that the drop in program has exactly the same rights like the
drop in shell script xsendmail:
/var/lib/xmail/sendmail/xsendmail: -r-xr-sr-x root mail xsendmail
/var/lib/xmail/sendmail/sendmail: -r-xr-sr-x root mail sendmail
This fixes it, since now PHP, operating under the web servers non
privileged account can call sendmail, which operates under the group
'mail' and has access rights. This problem is nasty to isolate, since
PHP is not very helpful and the 'permission denied' message is not
showed. One can only find it by using a small test script, starting this
via shell and PHP cli interface. Only then the error shows up. Using it
via the webserver simply returns 'false' (0) from the PHP mail()-function.
I am not sure if this is an oversight or was intended this way. But
without changing the configuration a web server under a non privileged
account would have to be put into the group 'mail' to be able to send
mail. This makes no sense to me. I have no local user accounts on my
server. I could put the web server into this group, but why? It also
would break other things.
I hope this helps.
H.F.W.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
