Manage Learn to apply best practices and optimize your operations.

What does 'invoked by uid 78' mean?

Are you seeing a 'uid 78' in your emails? In this expert response, Michael Cobb explains what the message means.

All of our business and private mail is being scooped up with the following message:

'Invoked' by (qmail ##### invoked by uid 78).

Though the qmail number varies, the "invoked by uid 78" part is always constant. What is uid 78 referring to, and do you know what the problem is with my business mail?

For readers not familiar with qmail, it is a mail transfer agent that runs on Unix-based machines. It has proved popular as it is a more secure alternative to the ubiquitous Sendmail program, which has been a constant target for hackers. Qmail provides a better level of security by using compartmentalization and distributed delegation to minimize the danger of security holes. The mutually untrusting components that make up qmail each run with different credentials. It also makes use of a security-aware replacement to the C standard development library to avoid common vulnerabilities such as buffer overflows, format string attacks, or temporary file race conditions. The source code was released into the public domain in November 2007.

The 'uid 78' that you are seeing in your emails refers to user ID (uid) 78, which invoked the qmail process. There are two types of users who could have invoked qmail: human or system. You, for example, are obviously a human user, while programs like Apache and qmail are system users, not human users. The fact that the uid is constant makes tracking down your problem a lot easier. If you search for the uid 78, inside the /etc/passwd file, using the grep command-line text search tool, for example, you should find the user associated with this uid. So here's a possible command, for example:

# grep 78 /etc/passwd

If you find that user id 78 is associated with a human user, then you can immediately suspend the user's account and take the matter further with the user directly. I suspect, though, that you will find that uid 78 is that of a system program, which will require additional investigation. On Red Hat Linux, for example, all uids below 500 are reserved for system use.

Keep in mind that programs cannot generate mail on their own. They only generate mail when instructed to do so. The first place I would look would be scripts that run on the server. One cause may be a Web form script sending mail using user ID 78's account. This could occur if you restarted your Apache Web server incorrectly using the "su," or substitute user command. The error would lead to the wrong user's environment variables being used by the Web script engine.

To avoid such problems in the future, ensure all administrators follow best practices when making changes to servers and that they log on and off using the correct accounts. Any system configuration changes or restarts should be logged following change-control procedures. If the appearance of this mail header has suddenly started, you should be able to narrow down the problem and trace it back through your change log to see who made what changes to your server and when.

This was last published in April 2009

Dig Deeper on Email and Messaging Threats-Information Security Threats