Security Features of sendmail

(Page 1 of 4 )

In this third part of a four-part series on securing sendmail, you will learn about the aliases file, and we will turn our attention from security problems to security features. This article is excerpted from chapter four of sendmail, fourth edition, written by Bryan Costales, Claus Assmann, George Jansen and Gregory Shapiro (O'Reilly, 2007; ISBN: 0596510292). Copyright © 2007 O'Reilly Media, Inc. All rights reserved. Used with permission from the publisher. Available from booksellers or direct from O'Reilly Media.

4.5.5 Don’t Blame sendmail

In §24.9.39 on page 1009, we describe the DontBlameSendmail option, which can be used to allow looser permissions. We mention this option here because its misuse can lead to a weakening of security.

Consider a site where you use group permissions to allow system administrators to edit :include:files, rather than allowing them to do so by becoming root. Note that these mailing lists include archive files—that is, entries that append messages to archive files.

Unless you tell sendmail otherwise, it will refuse to run programs listed in such group-writable:include:files, and also refuse to append to any files listed in such:include:files (append to archive files). Every time mail is sent to such a mailing list, sendmail will log the following warning:

  /path: group writable :include: file, marked unsafe

You can prevent this warning and allow running of disallowed programs and appending to disallowed files by declaring theDontBlameSendmailoption in your mc configuration file:

  define(`confDONT_BLAME_SENDMAIL´, `GroupWritableIncludeFileSafe´)

This declaration tells sendmail that you consider it safe to append to archive files from inside:include:files, even when the:include:file is group-writable. The result is that you have streamlined your department’s operation, but you have done so at the price of security.

The sendmail program is paranoid about group-writable permissions because such permissions open the door to intrusion by insiders. Group permissions are managed via the passwd and group files, and:include:files can be silently edited with no record made about what was done to them. Contrast this approach to one that uses sudo(8) or a similar program, to manage access to root and other privileges. The sudo(8) program executes programs (such as an editor to edit an:include:file) with special permissions (such as root) and logs a record of each command executed.

It is vastly better to keep sendmail’s file permissions narrow and to use other security tools to manage those files. We recommend you never use theDontBlameSendmailoption to loosen permissions. If you think you need to do so, you should review your overall approach. Try to find a safe way to satisfy your needs, rather than loosening sendmail’s security behavior.

Next: 4.6 The aliases File >>
 

More Server Administration Articles
More By O'Reilly Media

Comments On: Security Features of sendmail

· This article is an excerpt from the book "sendmail, fourth edition," published by...   >>> Post your comment now!

Buy this book...

This article is excerpted from chapter four of sendmail, fourth edition, written by Bryan Costales, Claus Assmann, George Jansen and Gregory Shapiro (O'Reilly, 2007; ISBN: 0596510292). Check it out today at your favorite bookstore. Buy this book now.