Handling sendmail Permissions - 4.5.3 Permissions for ~/.forward Files
(Page 3 of 4 )
The ~/.forward file can pose a security risk to individual users. There is a higher degree of risk if the user is root or one of the semiprivileged users (such as bin). Because the ~/.forward file is like an individual mailing list (:include:) for the user, risk can be encountered if that file is writable by anyone but the user.† Consider the following, for example:
drwxr-xr-x 50 george guest 3072 Sep 27 09:19 /home/george/ -rw-rw-r-- 1 george guest 62 Sep 17 09:49 /home/george/.forward
Here, the user george’s ~/.forward file is writable by the groupguest. Anyone in groupguestcan edit george’s ~/.forward file, possibly placing something such as this into it:
Now all the attacker has to do is send george mail to create a set-user-id george shell. Then, by executing /home/george/.x, the attacker becomes george.
The semiprivileged users such as bin, and root in particular, should never have ~/.forward files. Instead, they should forward their mail by means of the aliases file directly.
User ~/.forward files must be writable only by the owning user. Similarly, user home directories must live in a directory that is owned and writable only by root, and must themselves be owned and writable only by the user.
Some users, such as the pseudouser uucp, have home directories that must be world-writable for software to work properly. If that software is not needed (if a machine, for example, doesn’t run UUCP software), that home directory should be removed. If the directory must exist and must be world-writable, to ensure that the ~/.forward file is never processed you can create an alias in the aliases database for uucp that points to root. For example:
uucp: root
Thereafter, although the ~uucp directory is world-writable (so that anyone can remove anything from it), that file will be ignored by sendmail, even if someone places a ~/.forward file in it.
Note that all critical dot files in a world-writable home directory must be protected from creation by others. Each of .rhosts, .login, .cshrc, .profile, and .logout, for example, should be made a nonempty, root-owned directory with mode 000. World-writable home directories must be owned by root instead of by the user, and they must have the+t(sticky bit) set.
When processing a user’s ~/.forward file, sendmail requires that the file be owned by the user or by root. If ownership is correct, it then examines the ~/.forward file’s permissions. If that file is world- or group-writable, sendmail ignores (and logs) attempts to run programs and to write directly to files.
