On 7/24/2014 5:42 PM, D. Boland wrote: > Hi Corinna, > > Corinna Vinschen wrote: >> But be careful. Just because there are multiple users with admin >> permissions, that doesn't mean they all want their mail in the same >> mailbox for user 0... Things are actually worse than Corinna and others have described. The SYSTEM account is a built-in local machine account that by default is granted certain permissions but those permissions are configurable. There is a built-in Administrator account which everyone is taught to never use There are two default groups "Administrators" and "Domain Administrators" whose members are considered to be administrators but whose logon sessions run in a restricted mode which is tighter in many regards than standard users UNLESS the process running as that user is granted "elevated" access. Simply working off the user's SID or GIDs to make decisions are often going to result in failures that appear to your users as unpredictable. > Thanks for the overloading code. I already tested it. Now I can leave the Sendmail > code (almost) unchanged. Thanks also for the time you put into this. I hope the > RedHat people pay you well. > > I have Sendmail ready to be released, but only the 'crude' version (running as an > admin user). I'd like to go for the preferred solution (starting as admin, switching > to unprivileged). The uid issue is sorted. But to get it there, I have one final > problem to solve. On all modern versions of Windows the accounts that are members of the Administrators and Domain Administrators accounts are going to run unprivileged. In the Windows world background daemons (aka services) should be assigned their own service account that is granted the minimum set of privileges required. Windows permissions are much more fine grained than POSIX and this gives you a great deal of control. Shedding privileges can be done by a privileged process by replacing its process (or thread access tokens) with a more restricted version. > Sendmail checks if the user's home directories are group- or world writable. It does > this with 'stat'. If Sendmail is running in 'crude' mode (main program and children > running as the Sendmail 'smmsp' user, made admin), stat returns the right file mode > for my home directory (rwxr-xr-x). The email is delivered. On Windows file systems (as with many UNIX network file systems, think AFS as one example) the UNIX mode is not going to have much value. What matters are the entries in the access control list and that is what should be checked and manipulated. Cygwin can't turn a non-POSIX file system into a POSIX file system no matter how hard it tries. > If I have Sendmail running in preferred mode (main program as cyg_server, children > running as 'smmsp', removed from admin group), stat returns the wrong mode > (rwxrwxrwx). As a consequence, Sendmail refuses to deliver email. The UNIX mode cannot describe the fine grained permissions of the access control language for the file system. > Can I do anything about this? Other members of this group might have some additional suggestions on how to remove checks but if you really want secure delivery of e-mail on a Windows file system you will need to write code that is capable of understanding the capabilities of the file system. Just as you would on UNIX if the home directory was in a network file system that relied upon GSS/Kerberos network credentials and Access Control Lists instead of UNIX mode for access control. Jeffrey Altman