Handling sendmail Permissions - 4.5.3 Permissions for ~/.forward Files

(Page 3 of 4 )

The ~/.forward file can pose a security risk to individual users. There is a higher degree of risk if the user is root or one of the semiprivileged users (such as bin). Because the ~/.forward file is like an individual mailing list (:include:) for the user, risk can be encountered if that file is writable by anyone but the user.† Consider the following, for example:

  drwxr-xr-x 50 george guest     3072 Sep 27 09:19 /home/george/
  -rw-rw-r--  1 george guest       62 Sep 17 09:49 /home/george/.forward

Here, the user george’s ~/.forward file is writable by the groupguest. Anyone in groupguestcan edit george’s ~/.forward file, possibly placing something such as this into it:

  \george
  |"cp /bin/sh /home/george/.x; chmod u+s /home/george/.x"

Now all the attacker has to do is send george mail to create a set-user-id george shell. Then, by executing /home/george/.x, the attacker becomes george.

The semiprivileged users such as bin, and root in particular, should never have ~/.forward files. Instead, they should forward their mail by means of the aliases file directly.

User ~/.forward files must be writable only by the owning user. Similarly, user home directories must live in a directory that is owned and writable only by root, and must themselves be owned and writable only by the user.

Some users, such as the pseudouser uucp, have home directories that must be world-writable for software to work properly. If that software is not needed (if a machine, for example, doesn’t run UUCP software), that home directory should be removed. If the directory must exist and must be world-writable, to ensure that the ~/.forward file is never processed you can create an alias in the aliases database for uucp that points to root. For example:

  uucp:  root

Thereafter, although the ~uucp directory is world-writable (so that anyone can remove anything from it), that file will be ignored by sendmail, even if someone places a ~/.forward file in it.

Note that all critical dot files in a world-writable home directory must be protected from creation by others. Each of .rhosts, .login, .cshrc, .profile, and .logout, for example, should be made a nonempty, root-owned directory with mode 000. World-writable home directories must be owned by root instead of by the user, and they must have the+t(sticky bit) set.

When processing a user’s ~/.forward file, sendmail requires that the file be owned by the user or by root. If ownership is correct, it then examines the ~/.forward file’s permissions. If that file is world- or group-writable, sendmail ignores (and logs) attempts to run programs and to write directly to files.

Next: 4.5.4 Recommended Permissions >>
 

More Server Administration Articles
More By O'Reilly Media

Comments On: Handling sendmail Permissions

· This article is an excerpt from the book "sendmail, fourth edition," published by...   >>> Post your comment now!

Buy this book...

This article is excerpted from chapter four of sendmail, fourth edition, written by Bryan Costales, Claus Assmann, George Jansen and Gregory Shapiro (O'Reilly, 2007; ISBN: 0596510292). Check it out today at your favorite bookstore. Buy this book now.