# ssmtp permissions problem with hylafax

## redwood

I have a hylafax-4.4.4 server which is running ssmtp-2.62-r3

I'm trying to get /var/spool/fax/bin/faxrcvd working so that after it receives a fax.tif, it converts the tif to pdf and then emails me the fax at fax@mydomain (running postfix on my mailhub) using the MailWithFAX function:

MailWithFAX ()

{

    template="etc/templates/$TEMPLATE/faxrcvd-$1.txt"

    files_1=$FILE;

    filetype_1=TIFF;

    nfiles=1;

    for ft in $FILETYPE

    do

        ATTACH_ARGS="$ATTACH_ARGS "`BuildAttachArgs $ft`

    done

echo "MailWithFAX"               >>log/hylafax.log

echo "calling CreateMailMessage" >>log/hylafax.log

echo "template=$template"        >>log/hylafax.log

echo "ATTACH_ARGS=$ATTACH_ARGS"  >>log/hylafax.log

echo "SENDMAIL=$SENDMAIL"        >>log/hylafax.log

echo "FROMADDR=$FROMADDR"        >>log/hylafax.log

echo "SENDTO=$SENDTO"            >>log/hylafax.log

echo "ERRORSTO=$ERRORSTO"        >>log/hylafax.log

echo "Now creating mail"        >>log/hylafax.log

    eval CreateMailMessage $template $ATTACH_ARGS 2>>log/hylafax.log > log/message.mail

echo "Now sending mail"        >>log/hylafax.log

        cat log/message.mail|/usr/sbin/ssmtp  -f "$FROMADDR" -oi "$SENDTO"  2>>log/hylafax.log

        echo whoami=`whoami` >>log/hylafax.log

#   eval CreateMailMessage $template $ATTACH_ARGS \

#       2>>log/hylafax.log | $SENDMAIL -f "$FROMADDR" -oi "$SENDTO"

}

When I receive a fax and hylafax tries to email me the pdf, I get a permissions error:

# cat /var/spool/fax/log/hylafax.log

faxrcvd

SENDTO=fax@mydomain

MailWithFAX

calling CreateMailMessage

template=etc/templates/en/faxrcvd-success.txt

ATTACH_ARGS=  "/tmp/tmp-7062/fax000000080.pdf" "application/pdf" "fax000000080.pdf" "FAX Document (PDF)"

SENDMAIL=/usr/sbin/sendmail

FROMADDR=hylafax@mydomain

SENDTO=fax@mydomain

ERRORSTO=/dev/null

Now creating mail

Now sending mail

bin/faxrcvd: line 182: /usr/sbin/ssmtp: Permission denied

whoami=uucp

It seems that hylafax runs with user:group of uucp.uucp

so I have added the uucp user to the ssmtp group:

# grep uucp /etc/group

uucp::14:uucp,asterisk

ssmtp:x:1002:uucp

and I have /usr/sbin/sendmail -> /usr/sbin/ssmtp with

# ls -l /usr/sbin/ssmtp

-rwxr-x--- 1 root ssmtp 26144 Sep 30 23:01 /usr/sbin/ssmtp

Thanks for any ideas.Last edited by redwood on Wed Oct 01, 2008 9:44 pm; edited 1 time in total

----------

## erik258

I wonder why ssmtp execution is restricted to root?  I am somewhat surprised to see that.  It must be a change in the package, because my /usr/bin/ssmtp is not permissioned so restrictively:  

```

dan@pascal ~ $ ls -l /usr/sbin/ssmtp 

-rwxr-xr-x 1 root root 32936 Aug  9  2007 /usr/sbin/ssmtp

```

Granted, that's from a year ago.  From what I could find online with a little searching, there was an exploit back in ssmtp-2.60 but it should be long fixed now.  The only other thing i found was a bug from yesterday which discussed the ease with which someone could read smtp authentication information from /etc/conf.d/ssmtp.conf if they were in the ssmtp group.   That might have something to do with it but I'm not sure.

----------

## redwood

OK,

I 'chmod o+rx /usr/sbin/ssmtp' 

and now the MailWithFAX() function works.

# ls -l /usr/sbin/ssmtp

-rwxr-xr-x 1 root ssmtp 26144 Sep 30 23:01 /usr/sbin/ssmtp

I'm still not clear why if hylafax is running as user 'uucp'

as shown by my debug statement in faxrcvd: "echo whoami=`whoami` >>log/hylafax.log"

and user 'uucp' is a member of the 'ssmtp' group:

# grep ssmtp /etc/group

ssmtp:x:1002:uucp

then why isn't user 'uucp' able to run /usr/sbin/ssmtp with permissions "-rwxr-x---"

I guess the solution for now is to relax the permissions so that everyone can run ssmtp.

On my hylafax server there are no real system users (other than my own unix login).

I really didn't want to have to install/configure sendmail or postfix on my hylafax server

just to send an email to my postfix mailhub server.

I had been using asterisk's asterisk-app_rtxfax for receiving faxes, and had installed hylafax just to send outgoing faxes with the software iaxmodem. But after upgrading from asterisk-1.2.27 to 1.4.21, the asterisk-app_rtxfax broke and wouldn't compile with the new asterisk. So I decided to just let hylafax handle both incoming and outgoing faxes. But the faxrcvd script wasn't emailing me the incoming faxes. So I reverted to using the FreePBX perl script fax-process.pl (which uses the CPAN ssmtp module) for emailing faxes which worked. But I couldn't for the life of me figure out why faxrcvd wasn't working. I double-checked my mailhub's postfix/main.cf file for any weird rejection policies,  but eventually resorted to just adding a lot of debug statements to faxrcvd to find out where the script was failing.

Thanks for your help.

----------

## erik258

Well, good hacking!  Glad to help.  I too am unsure why uucp in the ssmtp group was unable to execute, the permissions look right;  i am guessing perhaps the way in which the script sets its user as uucp might be interfering with the correct group permissions being applied but I am really just grasping at straws here.  Hopefully some more knowledgeable guru will come by and explain it to both of us.  

It doesn't seem like you have any security to worry about, seems like you'd have to have other potentially malicious users for that.  Besides, in your situation I doubt you have any auth. details in ssmtp.conf, I would assume your mailhub is configured to accept any mail from the internal network(s).  

Enjoy your faxes -- er, emails.

----------

