Maintain Security with sendmail - 4.4 The Configuration File
(Page 4 of 4 )
A number of security problems can be created by commands given carelessly in the configuration file. Such problems can be serious because sendmail starts to run as root, provided that it has not been given an unsafe command-line switch (such as -C; see §6.7.17 on page 238) or an unsafe option (§24.2.4 on page 951). It can continue as root until it delivers mail, whereupon it generally changes its identity to that of an ordinary user. When sendmail reads its configuration file, it can do so while it is still root. Consequently, as we will illustrate, when sendmail is improperly configured, it might be able to read and overwrite any file.
4.4.1 The F Command—File Form
The file form of the F configuration command (§22.1.2 on page 857) can be used to read sensitive information. That command looks like this in the configuration file:
FX/path pat
This form is used to read class macro entries from files. It can cause problems through a misunderstanding of the scanf(3) patternpat. The/path is the name of the file, and the optionalpat is a pattern to be used by scanf(3) ( §22.1.2.1 on page 858).
To illustrate the risk of thepat, consider the following configuration file entry:
Fw/etc/myhostnames %[^#]
Normally, theFcommand reads only the first whitespace-delimited word from each line of the file. But if the optional patternpat is specified, theFcommand instead reads one or more words from each line based on the nature of the pattern. The pattern is used by scanf(3) to extract words, and the specific pattern used here,[^#], causes scanf(3) to read everything up to the first comment character (the#) from each line. Thispat allows multiple hostnames to be conveniently listed on each line of the file. Now assume that a new administrator, who is not very familiar with sendmail, decides to add anFcommand to gather a list of UUCP hosts from the /etc/uucp/Systems file. Being a novice, the new administrator copies the existing entry for use with the new file:
FU/etc/uucp/Systems %[^#]
This is the same pattern that was correctly used for /etc/myhostnames. Unfortunately, the Systems file contains more than just host entries on each line:
linda Any ACU 2400 5551212 "" \d\n in:-\r-in: Uourhost word: MublyPeg
hoby Any ACU 2400 5551213 "" \d\n in:-\r-in: Uourhost word: FuMzz3.x
A part of each line (the last item in each) contains nonencrypted passwords. Prior to V8.12, an unscrupulous user, noticing the mistaken[^#]in the configuration file, could run sendmail with a-d36.5debugging switch and watch each password being processed. For example:
% /usr/lib/sendmail -d36.5 -bt < /dev/null
← ... some output deleted
STAB: hoby 1 entered
STAB: Any 1 entered
STAB: ACU 1 entered
STAB: 2400 1 entered
STAB: 5551213 1 entered
STAB: "" 1 type 1 val 0 0 200000 0
STAB: \d\n 1 entered
STAB: in:-\r-in: 1 entered
STAB: Uourhost 1 entered
STAB: word: 1 entered
STAB: FuMzz3.x 1 entered ← note
STAB: local 3 type 3 val 34d00 0 00
STAB: prog 3 type 3 val 34d80 0 0 0
Note the third line from the bottom, where the password for the UUCP login into the hosthobyis printed. Also note that this is no longer possible with V8.12 and above if sendmail is installed as
non-set-user-id as recommended.
This example illustrates two rules about handling the configuration file:
Avoid using theFcommand to read a file that is not already publicly readable. To do so can reveal sensitive information. Even if the scanf(3) option is correct, a core dump* can be examined for sensitive information from otherwise secured files.
Avoid adding a new command to the configuration file by blindly copying and modifying another. Try to learn the rules governing the command first.
4.4.2 The F Command—Program Form
Another form of the F (File) configuration command is the program form, which looks like this:
FX|/path
Here, the|prefix to the/path tells sendmail that/path is the name of a program to run. The output produced by the program is appended to the class, hereX.
To illustrate another potential security risk, consider a configuration file that is group-writable, perhaps by a few administrators who share the job of postmaster.To break into root, the attacker needs to assume the identity of only one of those users and, under that identity, edit the configuration file. Consider the following bogus entry added by an attacker to that configuration file:
FX|/tmp/.sh
Consider further a change to theDefaultUseroption (§24.9.32 on page 1000) that causes the default uid and gid to become those of root:
O DefaultUser=0:0
With these changes in place, the program (actually a shell script) called /tmp/.sh is run by sendmail to fill the classXwith new values. All this seems harmless enough, but suppose /tmp/.sh does the unexpected:
#!/bin/sh
cp /bin/sh /tmp/.shell
chmod u+s /tmp/.shell
Here, the Bourne shell is copied to /tmp/.shell, and the set-user-id root bit is set. Now, any user at all can run sendmail and become root:
% ls -l /tmp/.shell
/tmp/.shell not found
% /usr/lib/sendmail -bt < /dev/null
% ls -l /tmp/.shell
-rwsr-xr-x 1 root 122880 Sep 24 13:20 /tmp/.shell
The program form of theF configuration command can clearly be dangerous. The sendmail configuration file must never be writable by anyone other than root. It should also live in a directory, every path component of which is owned by and writable only by root. (We’ll discuss this latter point in greater detail soon.) If the configuration file is created with the m4 technique, care must be taken to ensure that only root can write to the mc file, and that only root can use that mc file to install the configuration file.
4.4.3 The P= of Delivery Agents Just as the program form of the F command can pose a security risk if the configuration file is poorly protected, so can the M delivery agent definition. Specifically, the P= equate for a delivery agent (§20.5.11 on page 748) can be modified to run a bogus program that gives away root privilege. Consider the following modification to thelocaldelivery agent:
Mlocal, P=/bin/mail, F=rlsDFMmnP, S=10, R=20, A=mail -d $u |
↓ | | |
becomes | | |
↓ | | |
Mlocal, P=/tmp/mail, | U=0, | F=SrlsDFMmnP, | S=10, R=20, A=mail -d $u |
↑ | ↑ | |
note | note | |
Here, local mail should be delivered with the /bin/mail program, but instead it is delivered with a bogus frontend, /tmp/mail. If /tmp/mail is carefully crafted, users will never notice that the mail has been diverted. TheSflag in theF=equate (§20.8.45 on page 780) causes sendmail to retain its default identity when executing the bogus /tmp/mail. TheU=0equate (§20.5.17 on page 755) causes that default to become the identity of root.
Delivery agentP=equates must be protected by protecting the configuration file. As an additional precaution, never use relative pathnames in theP=equate.
TheF=SandU=0are especially dangerous. They should never appear in your configuration file unless you have deliberately placed them there and are 100% certain of their effect. For example, thelocal_lmtpfeature (§17.8.23 on page 625) correctly sets them for thelocaldelivery agent because the mail.local program is no longer set-user-id root.
4.4.4 StatusFile Option and the Statistics File When sendmail attempts to record its delivery agent statistics (§10.4.1 on page 365), it checks for the existence and write permissions of the file specified by the StatusFile option (§24.9.116 on page 1095). Prior to V8.9, sendmail did not care where that file lived or what permissions it had—only that it existed.
A security problem could arise if one is tempted to locate the statistics file in a spool or temporary area. Consider the following location, for example:
define(`STATUS_FILE',`/usr/tmp/statistics')
Here, the administrator sets theStatusFile option to locate the statistics file in the /usr/tmp directory. The intention is that the file can be easily created by anyone who wishes to gather statistics, then removed. Unfortunately, the /usr/tmp directory is usually world-writable.
Thus, prior to V8.9, any unhappy or malicious user could bring the system to its knees:
% cd /usr/tmp
% ln -s /vmunix statistics
Here, sendmail clobbers the disk copy of the kernel. Nothing bad might happen at first,* but the machine will require manual intervention to boot in the future.† Clearly, precautions must be taken. For example, any file that sendmail writes to (such as the StatusFile option statistics file or the aliases database files) must be writable only by root and live in a directory, every path component of which is writable only by root.
Please check back next week for the continuation of this article.
| DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |
|
 This article is excerpted from chapter four of sendmail, fourth edition, written by Bryan Costales, Claus Assmann, George Jansen and Gregory Shapiro (O'Reilly, 2007; ISBN: 0596510292). Check it out today at your favorite bookstore. Buy this book now.
|
|
