sendmail Security Options

(Page 1 of 6 )

In this conclusion to a four-part series on securing sendmail, we discuss a number of options that will help you improve its security, and make a few recommendations. This article is excerpted from chapter four of sendmail, fourth edition, written by Bryan Costales, Claus Assmann, George Jansen and Gregory Shapiro (O'Reilly, 2007; ISBN: 0596510292). Copyright © 2007 O'Reilly Media, Inc. All rights reserved. Used with permission from the publisher. Available from booksellers or direct from O'Reilly Media.

4.8.2 Security Options

The sendmail program offers several options that can help you to improve the security at your site. Some we have discussed already. We touch on a few more in this section, and provide a recommended setting where appropriate. For a full description of each, see the sections referenced.

4.8.2.1 The DefaultUser option

The DefaultUser option (§24.9.32 on page 1000) can be used to ensure that the default identity (when it is not running as root) is a safe one. CERT recommends that you create a pseudouser whose uid and gid are used nowhere on your system, and then define the DefaultUser option to be that pseudouser. As an additional precaution, make sure that pseudouser lacks a valid shell and has no valid home directory:

  mailnull:*:32765:32765:Sendmail Default User:/no/such/directory:/bin/false

At the same time, set up a group entry for this user’s group:

  mailnull:*:32765:

This is necessary if you want to refer to this group symbolically at some later time. This is also recommended to avoid the risk of someone else reusing that group ID for another purpose in the future.

Avoid using the name nobody, because root is mapped to nobody over NFS. If root were to create a file over NFS that it thought was safe because root owned it and because it was readable only by root, that root user would be surprised to find that file owned by nobody. Consequently, we recommend that in an NFS environment, you set the default user to one less than nobody.* For example, if nobody has the uid 65534, you could set up:

  mailnull:*:65533:65533:Sendmail Default User:/no/such/directory:/bin/false

4.8.2.2   The RunAsUser option (V8.8 and above)

The RunAsUser option (§24.9.102 on page 1083) is just like the DefaultUser option (§24.9.32 on page 1000) described earlier. But instead of setting the identity to be used when sendmail is not running as root, this option sets the identity to replace root. Because a non-root program cannot assume the identity of other users, this option cannot be used in conjunction with the DefaultUser option. Instead, this option sets the only identity that sendmail will use.

Although it is tricky to get sendmail to run as a non-root process in all circumstances, V8.12 offers a way to get part of sendmail to do this. The idea is that initial mail submission (by local users) can be sent safely with a non-root sendmail, whereas handling inbound mail and local delivery can require a root process. V8.12 handles this division by creating two separate sendmail processes, handling the two separate roles. See §2.5 on page 60 for a complete explanation of this process.

Next: 4.8.2.3 The TrustedUser option (V8.10 and above) >>
 

More Server Administration Articles
More By O'Reilly Media

blog comments powered by Disqus