Handling sendmail Permissions - 4.5.2 Permissions for :include:
(Page 2 of 4 )
The sendmail program doesn’t always run as root. When delivering mail, it often changes its identity into that of a nonprivileged user. When delivering to an :include: mailing list, for example, it can change its identity to that of the owner of the list. This, too, can pose security risks if permissions are not appropriate.† Consider the following aliases file entry:
newprogs: :include:/usr/local/lists/proglist
Here, notification of new programs is mailed to the aliasnewprogs. The list of recipients is taken from the following file:
-rw-rw-r-- 2 bin prog 704 Sep 21 14:46 /usr/local/lists/proglist
Because this file is owned by bin, sendmail changes its identity to bin when delivering to the list of recipients. Unfortunately, the file is also writable by the group prog. Anyone in the group prog can add a recipient to that list, including one of the form:
|/tmp/x.sh
This tells sendmail to deliver a copy of the message by running the program (a shell script) /tmp/x.sh.The sendmail program (which is still running as bin) executes that program as bin. Further, suppose the program /tmp/x.sh contains the following:
This causes bin first to make a copy of the Bourne shell in /tmp (a copy that will be owned by bin), and then to set the set-user-id bit on that copy (the u+s):
-rwsr-xr-x 1 bin 64668 Sep 22 07:38 /tmp/sh
The script then throws away the incoming mail message and exits with a zero value to keep sendmail unsuspecting. Through this process, an ordinary user in the group prog has created a set-user-id shell that allows anyone to become the semiprivileged user bin. From the earlier discussion (§4.5 on page 164), you can see the trouble that can cause!
Mailing lists (:include:) must live in a directory, all the components of which are writable only by root. The lists themselves should be writable only by the owner.
Mailing list (:include:) files can safely be owned by root. When sendmail processes a root-owned mailing list, it changes itself to run as the user and group specified by theDefaultUseroption (§24.9.32 on page 1000). That option defaults to daemon* but should be set to the mailnull user and mailnull group. TheDefaultUseroption should never be set to root.
