Learning the Mac OS X Terminal, Part 3

Listen Print Discuss

Learning the Mac OS X Terminal, Part 3
Pages: 1, 2, 3

Eliminating `sendmail` Permissions Errors

As your remember, we needed to change the permissions for the root directory to get sendmail to work. While in most cases this does work, it’s really just a workaround that comes with a few of its own trade-offs. For one, some Apple updaters will revert the permissions, so you’ll need to chmod again to get sendmail back on track.

Secondly, and more importantly, there's a reason why Apple wants the root directory to be group-writable. Many Classic installer applications (and even some native ones) are programmed to place items in the root directory, and unless you’ve given these applications admin privileges to do this, they just might choke during an installation. Apple’s workaround for this possibility, then, is to keep the root directory group-writable.

Of course, that causes problems for sendmail, which requires these permissions for security reasons. At this point, then, you might feel stuck between a rock and a hard place. But wouldn’t it be great if you could just tell sendmail (as Ben Franklin might), "Hey, I’m willing to give up a little security if you just give me the liberty to keep my permissions!"

Previously in the Series

Learning the Terminal in Jaguar, Part 3

Learning the Terminal in Jaguar, Part 2

Learning the Terminal in Jaguar, Part 1

Learning the Mac OS X Terminal, Part 5

In fact, sendmail allows you to set just that option by adding a single line to its configuration file. This is from the sendmail documentation:

"You may have to tweak your environment to make it safer for sendmail to run. If you find that some of the safeties in sendmail are too restrictive for your environment, they can be turned off by setting the option DontBlameSendmail. The option is appropriately named as sendmail is not to be blamed for problems resulting from unsafe permissions on directories and files."

As long as you’re using sendmail as described in the tutorial and are the primary user of the machine, the security risk is small in setting this option. If, however, you aren’t able to control access to your machine either physically or remotely, and you are compromised, please don’t blame me either ;-)

So if you’re ready to go, the file you need to edit is /etc/mail/sendmail.cf. You’ll first want to make a backup. Since the /etc/mail directory is only root-writable, you’ll need sudo:

sudo cp -p sendmail.cf sendmail.cf.bak

Note the use of the -p option flag in this command line, which preserves the permissions settings of the original in the copy of the file. This will make things a little easier, should you need to quickly restore the file.

You can then edit this file using pico, as you have with others. Since sendmail.cf is only writable by root, you’ll need to use sudo here as well.

sudo pico /etc/mail/sendmail.cf

This file is over 1,200 lines long and might be intimidating, but since you’ll just be adding a single line near the top and then getting the heck out, you should have nothing to worry about.

The line you’re looking for is a commented-out "DonBlameSendmail" line about 70 lines down from the top. The quickest way to get there in pico is by pressing Contol + W, entering "DontBlame", and pressing Return. You should then see these lines:


# level 9 config file format
V9/Berkeley

# override file safeties - setting this option compromises system security,
# addressing the actual file configuration problem is preferred
# need to set this before any file actions are encountered in the cf file
#O DontBlameSendmail=safe   
# default LDAP map specification

Next, add a new line after the found line and enter (or paste in) this line:


O DontBlameSendmail=GroupWritableDirPathSafe

When you’re done, the lines should look like this:


# override file safeties - setting this option compromises system security,
# addressing the actual file configuration problem is preferred
# need to set this before any file actions are encountered in the cf file
#O DontBlameSendmail=safe   
O DontBlameSendmail=GroupWritableDirPathSafe
# default LDAP map specification

As usual, press Control + O to save the file, Return to confirm the name, and Control + X to exit pico. You can now reset the root directory’s permissions to the factory default with this command:

[localhost:/etc/mail] chris% sudo chmod g+w /

If everything went well, sendmail will in fact send its mail the next time it’s beckoned, even with a group-writable root directory.

If you’re still having problems with anything, make sure to look at the TalkBack sections for all parts of this tutorial, where readers and I have covered most of the common problems and made some corrections.

Also, if you would like to learn lots more about cron, here’s another tutorial for you.

Now that your feet (or even your knees) are wet working with Terminal and Unix, you have an entire ocean left to explore. I hope this tutorial has given you the confidence to dive in. There are other articles here on the Mac DevCenter you should now be ready for, as well as plenty more around the Internet.

I also plan to have some more of my own articles in the near future, so feel free to make any requests in the TalkBacks. See you there!

Special thanks to Fred Coffman for his help with this article.

Chris Stone is a Senior Macintosh Systems Administrator for O'Reilly, coauthor of Mac OS X in a Nutshell and contributing author to Mac OS X: The Missing Manual, which provides over 40 pages about the Mac OS X Terminal.

Return to the Mac DevCenter.

Now that you're up to your knees in command lines, how's it going?
You must be logged in to the O'Reilly Network to post a talkback.

Showing messages 1 through 29 of 29.

Perl Scripts
2006-01-09 14:49:10 Cruzapete [Reply | View]

I dont know if this is too late that it wont be answered. I will so much appreciate it if it can be treated and my problem solved.

I was a windows user but moved to Mac OS X. I have some perl scripts I run on MS-DOS cmd.exe but have been having problems running those scripts on Mac OS X terminal.

Is there any command used for running perl scripts or how do I go about it.

Thanks for responding.
Cruzapete

Long delay at startup
2002-07-23 12:16:41 Subhash [Reply | View]

After changing the files as read starting my Mac needs 2 minutes only for sendmail.
Any suggestions?

sendmail and OS 10.1.5
2002-06-26 20:41:00 pnschatz [Reply | View]

I have applied the fix for OS 10.1.5, and sendmail works. But every time I start up or restart, the process hangs for about two minutes at "Starting Sendmail". Is there some way of getting around this delay?

Paul

Fixing Return Address
2002-06-18 21:25:19 dennisj [Reply | View]

Thanks for the great articles - I have mail and send mail working under 10.1.5. Now I am getting ready to move on to Terminals #4.

I tried to send a message using my real address and received a message that a real domain name is required for the sender. I don't have a domain, but I do have a fixed IP. What needs to be fixed?

----- The following addresses had permanent fatal errors -----
dennisj@mac.com
(reason: 553 5.5.4 <dennisj@localhost>... Real domain name required for sender address)

----- Transcript of session follows -----
... while talking to smtp-mx.mac.com.:
MAIL From:<dennisj@localhost> SIZE=93
<<< 553 5.5.4 <dennisj@localhost>... Real domain name required for sender address
501 5.6.0 Data format error

sendmail broken?
2002-06-07 15:19:26 jwilcox [Reply | View]

Applied the netinfo changes and sendmail is now working again, but I get a bunch of warning messages

TCP or FILE
Mesmtp: Warning: first argument in [IPC] mailer must be TCP or FILE
Msmtp8: Warning: first argument in [IPC] mailer must be TCP or FILE
Mdsmtp: Warning: first argument in [IPC] mailer must be TCP or FILE
Mrelay: Warning: first argument in [IPC] mailer must be TCP or FILE

and then mail sits there until I hit a return. The mail still gets send.

Can't send mail: broken in X 10.1.5????
2002-06-05 18:47:20 baltwo [Reply | View]

Followed your example and set up mail and got two daily reports. Installed 10.1.5 update and couldn't send/receive mail, so I went through your steps and get an error when trying to send mail. Here's where I'm at and I don't really understand what's going on.

[localhost:~] baltwo% sudo chmod g-w /
[localhost:~] baltwo% mail root
Subject: test
this is it
.
EOT
[localhost:~] baltwo% can not chdir(/var/spool/clientmqueue/): Permission denied
Program mode requires special privileges, e.g., root or TrustedUser.

How do I set privileges for "program mode"?

Can't send mail: broken in X 10.1.5????
2002-06-07 09:16:24 Chris Stone | [Reply | View]

Sorry for the delay responding to this, but expect an extended fix update sometime today. In the meantime, follow the steps in /etc/mail/README (including the 2 netinfo commands), and that should get you going again.

Thanks,

--Chris

Can't send mail: broken in X 10.1.5????
2002-06-06 22:37:21 miscdebris [Reply | View]

I am experiencing exactly the same error with 10.1.5. I had sendmail working properly under 10.1 through 10.1.3 with the DontBlameSendmail directive set properly, but with 10.1.5 sendmail doesn't want to work.

I receive this message in the terminal: "can not chdir(/var/spool/clientmqueue/): Permission denied. Program mode requires special privileges, e.g., root or TrustedUser."

then in mail.log, the following entries appear:

unable to qualify my own domain name (localhost) -- using short name

NOQUEUE: SYSERR(tim): can not chdir(/var/spool/clientmqueue/): Permission denied"

Any ideas what's going on?

cron jobs don't work!
2002-04-19 03:08:05 miklas1 [Reply | View]

Hi!

My box at work makes some trouble by
executing the daily, weekly or monthly cron job:

Ausgabe des Befehls sh /etc/monthly 2>&1 | tee /var/log/monthly.out | mail -s "`hostname` monthly output" root ..

Warning: Option: CACERTPath requires TLS support
Warning: Option: CACERTFile requires TLS support
Warning: Option: ServerCertFile requires TLS support
Warning: Option: Serverkeyfile requires TLS support
Warning: Option: ClientCertFile requires TLS support
Warning: Option: Clientkeyfile requires TLS support

the report send as e-Mail to root:

Von System Administrator <root>
An root
Datum Fri, 19 Apr 2002 11:57:26 +0200 (CEST)
Betreff jupiter.intern.dasburo.com daily output

Subject: jupiter.intern.dasburo.com daily run output

Removing scratch and junk files:

Backing up NetInfo data
nidump: can't connect to server localhost/local: Communication failure
usage: nidump [-r] [-T timeout] {directory | format} [-t] domain
known formats:
aliases
bootptab
bootparams
ethers
exports
fstab
group
hosts
networks
passwd
printcap
protocols
resolv.conf
rpc
services
mountmaps

Checking subsystem status:

disks:
Filesystem 1K-blocks Used Avail Capacity Mounted on
/dev/disk0s9 6143424 5507916 635508 89% /
fdesc 1 1 0 100% /dev
/dev/disk0s10 1417152 720176 696976 50% /Volumes/Mac
OS 9.2.1
/dev/disk0s11 12476184 4058600 8417584 32% /Volumes/Local
Cube

Last dump(s) done (Dump '>' file systems):

mail:
Warning: Option: CACERTPath requires TLS support
Warning: Option: CACERTFile requires TLS support
Warning: Option: ServerCertFile requires TLS support
Warning: Option: Serverkeyfile requires TLS support
Warning: Option: ClientCertFile requires TLS support
Warning: Option: Clientkeyfile requires TLS support
/var/spool/mqueue is empty
Total requests: 0

network:
Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll
lo0 16384 <Link> 5428 0 5428 0 0
lo0 16384 127 localhost 5428 0 5428 0 0
en1* 1500 <Link> 00.30.65.08.a0.64 0 0 0 0 0
en0 1500 <Link> 00.30.65.ab.e2.36 53585 868 65752 0 0
en0 1500 192.111.127.1 jupiter 53585 868 65752 0 0
en0 1500 (255)fd.80.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.d2.ec.65.6e.00.00.65.74.68.65.72.5f.69.66.61.74.74.00.00.00.70.b0.44.00.00.00.00.00.00.00.00.00.00.00.bf.ff.fe.c0.00.00.00.0c.00.00.00.02.bf.ff.fe.d0.bf.ff.fe.c4.00.00.19.d8.bf.ff.fd.c0.00.00.00.00.41.11.2b.1c.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.02.bf.ff.fe.cc.00.00.00.02.bf.ff.fe.d0.bf.ff.fe.c4.00.00.67.e4.bf.ff.fe.10.00.00.10.00.00.00.6d.e8.70.00.89.c4.bf.ff.fe.10.00.00.00.50.00.00.19.fc.00.00.00.40.00.00.00.1f.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.4f.00.00.00.08.00.00.00.06
53585 868 65752 0 0

ruptime: no hosts in /var/rwho.

Rotating log files: system.log

----- end ----

can anybody help me or explain what happened?

Thanx, Miklas from Germany

sendmail "no such file or directory
2002-03-31 09:16:17 stewa [Reply | View]

Chris,

Sorry, if there is a simple answer to this question, but I'm a terminal newby and confused.

When I go to make a backup copy of sendmail using "sudo cp -p sendmail.cf sendmail.cf.bak" I get this:

cp: sendmail.cf: No such file or directory

Any help would be appreciated.

Thanks,

Andy

sendmail "no such file or directory
2002-04-01 13:56:12 scott@trunkhill.com [Reply | View]

Sounds like you aren't in the directory /etc/mail.

OSX Man Page
2002-03-14 14:56:40 jillangel [Reply | View]

I love these tuitorials!

"Just going through the Read the Friendly Manpage!"

when I type
whatis intro

I only have intro (1)
intro (7)
intro (8)

why would all them not be available?
Is that possible?

Jill

Error message
2002-03-12 22:57:30 shryn [Reply | View]

Many thanks Chris, from a UNIX newbie, for a great article.

Having followed the steps (correctly, I think), I keep getting this error message. even though my mail gets sent..

:/var/log] root# hash map "Alias0": missing map file /etc/mail/aliases.db: No such file or directory

...and indeed there isn't an aliases.db. Can I create my own, if so what info do I need to place in there?

Are you able to shed any light on this?

I'm running a G4 server with OSX Server v.10.1.3

I hope you write more articles with easy (for Mac users) step-by-step instructions.

Steve Hryncewicz
Japan
shryn@gol.com

Mac GUI guy becoming code addict
2002-03-10 20:19:28 pablo2001 [Reply | View]

Thanks to your efforts to walk us through this command line area I'm becoming addicted. When Apple first came out with OS X I though I was witnessing the death of a great company. Now that I see how much of an inside track the new OS provides I am persuaded to a completely happier view.

Thanks for the help.

Bill McEntee

Great work
2002-03-08 14:23:49 mgoins11 [Reply | View]

I have enjoyed this wonderful tutorial and am looking forward to more. Why does my command prompt read "tcsh_initdir: Undefined variable?"

Network output
2002-03-06 23:02:36 roberto_bolzan [Reply | View]

I found this surprising line in my daily output.

network:
Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll
lo0 16384 <Link> 64177 0 64177 0 0
lo0 16384 127 localhost 64177 0 64177 0 0
en0 1500 <Link> 00.03.93.xx.xx.xx 223285 0 286090 0 0
en0 1500 192.168.1 192.168.1.2 223285 0 286090 0 0
en0 1500 (255)fd.e0.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.d2.ec.65.6e.00.00.65.74.68.65.72.5f.69.66.61.74.74.00.00.00.70.b0.44.00.00.00.00.00.00.00.00.00.00.00.bf.ff.ff.08.00.00.00.0c.00.00.00.02.bf.ff.ff.18.bf.ff.ff.0c.00.00.19.d8.bf.ff.fe.20.00.00.00.00.41.11.2b.1c.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.02.bf.ff.ff.14.00.00.00.02.bf.ff.ff.18.bf.ff.ff.0c.00.00.67.e4.bf.ff.fe.70.00.00.10.00.00.00.6d.e8.70.00.89.c4.bf.ff.fe.70.00.00.00.50.00.00.19.fc.00.00.00.40.00.00.00.1f.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.4f.00.00.00.08.00.00.00.06 223285 0 286090 0 0

localhost gone
2002-03-02 22:02:30 flyyama [Reply | View]

I changed the crontab file as suggested in part I and everything seems ok except that when i logged into Terminal the next time it reads: [148-0005027e7001:~] chris% instead of saying localhost....is this normal or what? If it is not good how can i fix it? Thanks.

Window positions
2002-03-02 21:54:29 build6@hotmail.com [Reply | View]

Hi everyone, would like to ask a question - pre-OS X 10.1.x, Terminal would always remember the window positions of the last window before quit, and would open a terminal at that exact spot the next time it's launched. This behaviour seems to have changed ever since OS X 10.1.x - I've not seen it since 10.0.4; does anybody know how to trigger this behaviour again?

A great series on Terminal!
2002-03-02 08:22:14 freestyler-x [Reply | View]

I appreciate the effort you put into such an informative series Chris.

(Im retyping this as my track pad submitted
1/2 thru my post!)

I was saying, as I worked thru the third installment, I sent a test mesg to my internet email account and lo and behold it worked!

so now Im curious - how did that work? I havent configured any smtp settings with mail (only exposure thus far is thru this series) - does it talk to the local subnet's smtp server by default (ie that of my adsl provider?) I have sent an email to a broader address (outside this ISP and ill see how that works too...)

Cheers

Adrian
london

MacDEV Mention
2002-03-02 05:19:25 tomp2002 [Reply | View]

Kudos to the author. Forgot to mention earlier that I also noticed this a.m. that series is mentioned in Apple's MacDEV newsletter.

Only for the worthy. :)

(Pardon stretch of the bandwidth.)

Good addition!
2002-03-02 05:10:03 tomp2002 [Reply | View]

Another good article in this series. Many thanks to Chris Stone!

(link on cron to FreeBSD series is also quite useful)

sendmail: unable to qualify my own domain name
2002-02-28 22:29:38 santos [Reply | View]

Chris,

I am really enjoying your articles. This is great information presented very well.

I'm having trouble with sendmail after taking the steps in part two. Specifically, anytime I send mail via the CLI mail program, I get these two messages on the console:

Feb 28 21:34:31 localhost sendmail[1019]: My unqualified host name (localhost) unknown; sleeping for retry

Feb 28 21:35:31 localhost sendmail[1019]: unable to qualify my own domain name (localhost) -- using short name

The mail seems to go through, and all other functions of sendmail seem to work, but nevertheless, the error messages are occurring.

Thank You,
Bill

SOLUTION! sendmail: unable to qualify my own domain name
2003-06-03 10:53:47 anonymous2 [Reply | View]

The solution is to add a line in your "/etc/hosts" file.

My computer is Nelly, and i'm doing localhosting sooo:

127.0.0.1 nelly.local. nelly

The format is:

[ipaddress] [longname] [shortname]

Obviously without the brackets.
Don't know your name? Try pinging yourself or doing an:
>nslookup [shortname]

Cheers!
bcshessa@bluffton.edu

sendmail: unable to qualify my own domain name
2002-03-01 14:46:28 kwidholm [Reply | View]

I've been having the same issue. The problem seems to go away when I'm online. Of course, if I didn't have my console open, the problem wouldn't "exist".

I'd like to see if anyone can get rid of this stuff without having a fully qualified, always on domain name for their machine? Any takers?

k

sendmail doesn't work if write perms are on
2002-02-27 22:22:23 alearnerrather [Reply | View]

I followed the article and changed my sendmail.cf file, and then I turned the write permissions back on, and when I send mail to root from the CLI, I don't receive it. I only seem to receive it if the write perms are OFF, as in part 2 of the article. Is there anything I'm missing?

Thanks!

I want more!
2002-02-27 18:37:11 aishafenton [Reply | View]

I want more!
I don't need a Os X book about how to open folders (which at best has a simple introduction to the terminal)

I want/need a proper manual for Ox's unix side.
I would like to learn about all aspects of the included unix programs... such as Mounting NFS shares, TCSH tips and tricks, and even porting unix apps!

These articles are the best thing out there so far.

Plllllleeeease someone write an intermediate to advanced book on Os X. I will be the first one in queue to buy this book.

Great
2002-02-27 11:23:38 nnicoletis [Reply | View]

These Terminal tutorials are really great and useful, please give us more "food for thought"!

Great Series of Articles
2002-02-27 10:56:39 aleddavies [Reply | View]

Just quick note to say a great series of articles. One area I wouldn't mind seeing covered in the future is maybe how MacOS X hostnames are configured to be something other than 'localhost' and how NetInfo works into all this.

It took me a couple of days to work this one out, and I'm still not 100% sure that I've nailed it right. ;)

locate
2002-02-27 06:17:41 pmccann [Reply | View]

OK, someone is going to mention that locate, while nice, is not **nice enough**, so I might as well get the ball rolling. It's quoting regimen is pretty awful and it can't do a lot of things that you'd like it to do: case insensitive matches come to mind here.

Given that this is a series about the CLI I'll skip carefully over the fact that there's a really nice GUI application called "Locator" (see www.versiontracker.com), which covers up these inadequacies. [[Unsubtle hint: get it!]] Instead, here's how to mimic what "Locator" does from the command line. The key is to feed the output from the command

locate \*

into another application that's more capable than locate at filtering the output. The command above just outputs *everything* in the database. So let's say you wanted to find a file that you remember downloading, called something like "applescriptlanguageguide". You feed that to locate and it says "nothing doing". So instead feed the "locate \*" command output to grep, and ask it to match for "applescriptlanguage" case insensitively.

locate \* | grep -i "applescriptlanguage"

Bingo: it takes a couple of seconds, but the file --with its mixed capitalization-- is found. The "pipe" symbol "|" just means: make the output from the command on the left of the pipe the input for the command on the right.

So that's not unhelpful, but it relied on you having a pretty decent recollection of the file name! Suppose you knew it was something like "applescript" followed by something like "language", with maybe something in between. We're drifting towards regular expressions (very gently!) here, and that's maybe what I'm suggesting for future columns: grepping for profit and pleasure, maybe in concert with "sort" and "cut" or their kinfolk.

In any case, here's what you'd do if that's all the information you could remember about the filename.

locate \* | grep -i "applescript.*language"

The .* in the pattern that you're asking grep to find just means "any character (that's the dot), occurring zero or more times (that's the star)". And you'll probably find a longish list of matches, especially if you've installed the Developer Tools. Obviously this is becoming overly long, so I'll stop here (except to mention that "Locator" actually uses perl to do the pattern matching: those who know a little about regular expressions might want to try stuffing some of that knowledge between the two forward slashes in the following command:

locate \* | perl -ne 'print if /applescript.*language/i'

which is the perl equivalent of the above "grep" line.)

Cheers, and thanks for the helpful article,
Paul

Eliminating sendmail Permissions Errors

Tagged Articles

mac

Sponsored Resources

Related to this Article

Eliminating `sendmail` Permissions Errors