Handling sendmail Permissions

(Page 1 of 4 )

In this second part of a four-part series focusing on sendmail security, you will learn how attackers use permissions to gain root privilege, and how to keep them from doing so. It is excerpted from chapter four of sendmail, fourth edition, written by Bryan Costales, Claus Assmann, George Jansen and Gregory Shapiro (O'Reilly, 2007; ISBN: 0596510292). Copyright © 2007 O'Reilly Media, Inc. All rights reserved. Used with permission from the publisher. Available from booksellers or direct from O'Reilly Media.

4.5 Permissions

One technique that attackers use to gain root privilege is to first become a semiprivileged user such as bin or sys. Such semiprivileged users often own the directories in which root-owned files live. For example, consider the following:

  drwxr-sr-x 11 bin     2560 Sep 22 18:18 /etc/mail
  -rw-r--r--  1 root    8199 Aug 25 07:54 /etc/mail/sendmail.cf

Here, the /etc/sendmail.cf configuration file is correctly writable only by root. But the directory in which that file lives is owned by bin and writable by bin. Having write permission on that directory means that bin can rename and create files. An individual who gains bin permission on this machine can create a bogus sendmail.cf file by issuing only two simple commands:

% mv /etc/mail/sendmail.cf /etc/mail/...
% mv /tmp/sendmail.cf /etc/mail/sendmail.cf

The original sendmail.cf is renamed ... (a name that is not likely to be randomly noticed by the real system administrator). The bogus /tmp/sendmail.cf then replaces the original:

  drwxr-sr-x 11 bin     2560 Sep 22 18:18 /etc/mail
  -rw-r--r--  1 bin     4032 Nov 16 00:32 /etc/mail/sendmail.cf

Unix pays less attention to semiprivileged users than it does root. The user root, for example, is mapped to nobody over NFS, whereas the user bin remains bin. Consequently, the following rules must be observed to prevent malicious access to root-owned files:

• All directories in the path leading to a root-owned file must be owned by root and writable only by root. This is true for all files, not just sendmail files.
  
• Files owned by root must be writable only by root. Group write permission, although at times desirable, should consistently be avoided.
  
• Because sendmail is running as root when processing the configuration file, care should be taken to ensure the safety of system files as well. All system directories and files must live in directories whose path component parts are owned by and writable only by root. All system files (except possibly set-user-id or set-group-id files) must be owned by root and be writable only by root. If any program “breaks” after securing permissions, complain to your vendor at once!

4.5.1   Dangerous Write Permissions

The sendmail program, of necessity, needs to trust its configuration file. To aid in the detection of risks, it checks the permissions of its configuration file when first reading that file. If the file is writable by group or world, sendmail logs the following message:*

  configfile: WARNING: dangerous write permissions

If sendmail is being started as a daemon or is being used to initialize the aliases database, it will print the same message to its standard error output.

Next: 4.5.2 Permissions for :include: >>
 

More Server Administration Articles
More By O'Reilly Media

blog comments powered by Disqus