I've had a test SLES 10 SP2 box with all of the Groupwise 8 agents installed on it and running fine as root for weeks. My next step was to change everything to run as a non-root user for obvious security reasons. I read about deleting the uid.run files and creating uid.conf to get GW to run as my gwadmin user, so I did that. I also changed permissions so that the gwadmin user had rwx perms on all of the domain, logs and /var/run directories I could find.

After doing so, I am able to send and receive emails, but it looks like communication between my agents is now funky. In the POA, I now constantly get these messages:

144 MTP: Receiver thread started: 2 running

about 5-10 every second. More problematic is that when I send an outgoing message via the client, checking the properties of that message reveals that the status never changes from "Pending" to "delivered" or "transferred", even if it has successfully delivered the message to another mailbox or successfully routed it to the GWIA.

All of the uid.run files do now reflect that the MTA, POA and GWIA are running as gwadmin. (Why the Webaccess agent must run as root is another question, but that's another story.)

I ran an strace on the POA, MTA and GWIA and the only clue I found is that my MTA cannot write to the following file:

/<domain dir>/mslocal/mshold/sacad06/5/000dfed2.001

The reason is that this file was created yesterday by root and only root has write access. Somehow other files in that same folder were created by gwadmin properly even though I've been running my agents as gwadmin exclusively for days now.

I'm thinking I could get around this by changing root's umask, but then I'd just be creating one more security problem which defeats the purpose.

Is anyone out there successfully running their GW 8 server on SLES as a non-root user? If I can't run the agents as a non-root user, I don't see how I can put this product into production and be able to sleep at night.

If you ask me, running as non-root shouldn't be an option - it should be a given. In future releases, it really should be part of the install process to specify a user to run as and then lay out the directories accordingly.

Thanks in advance for any and all feedback.