sendmail Security Options - 4.10 Pitfalls
(Page 6 of 6 )
The sendmail program is only as secure as the system on which it is running. Correcting permissions and the like is useful only if such corrections are system-wide and apply to all critical system files and programs.
Time spent tightening security at your site is best spent before a break-in occurs. Never suppose that your site is too small or of too little consequence to be attacked. Start out by being wary, and you will be more prepared when the inevitable happens.
Newer versions of perl(1) object to PATH environment variables that begin with a dot (such as .:/bin:/usr/bin). V8 clears the PATH variable before executing programs in a user’s ~/.forward file. Some shells put it back with the dot first. Under such versions of the Bourne shell, execute perl(1) scripts like this:
|"PATH=/bin:/usr/bin
/home/usr/bin/script.pl"
There is no check in theTcommand to determine that the names listed are the names of real users. That is, if you mistakenly enteredTuupcwhen you really meantTuucp, pre-V8 sendmail remained silent and UUCP mail mysteriously failed. V8.7 and above sendmail log warning messages.
* The default beginning with V8.12 is to install sendmail as a non-set-user-id program that operates as root only if it is run by root.
† That flaw has been eliminated—wrongly by some vendors who turned all debugging completely off, correctly by most who simply disabled SMTP debugging.
‡ Contrary to popular belief, sendmail does not run as root to handle local delivery (except that sendmail can deliver directly to files when necessary, but that is not directly germane to this discussion). Local delivery is handled by delivery agents (such as /bin/mail), which may run set-user-id root themselves (or set-group-id mail as in SysV).
* But note that V8.8 sendmail has loosened the latter for use on firewall machines, where it won’t complain about non-root qf files if it is not running as root.
† Except when seteuid(3) is POSIX-compliant. Old implementations of seteuid(3) didn’t properly save the uid, hence the preference, in that case, for setreuid(3).
* When delivering to files, sendmail will become the owner of the file if that file’s set-user-id bit is set and if no execute bits are set.
† We say “must” because in an NFS environment, root is mapped to nobody, so in that instance, even root won’t be able to write to bill’s files unless sendmail becomes bill.
* See the F=q flag (§20.8.41 on page 778) for a way and reason to change this SMTP reply code to 252.
† T he fingerd(8) daemon can also reveal login IDs.
‡ The GNU fingerd(8) daemon also uses VRFY to provide mailbox information.
* Most versions of Unix disallow core dumps of set-user-id root programs.
* Programs that need kernel symbols, such as ps(1), will cease to work or will produce garbage output.
† The savvy administrator can still boot off the network or from a CD-ROM and quickly install a new kernel.
* This is done only when not in rule-testing mode to prevent spurious warnings when you already know you are using a weak configuration file with -C.
† We refer here to both file permissions and permissions granted by the DontBlameSendmail option (§4.5.5 on page 168). Beginning with V8.9, for example, the behavior we describe requires the DontBlameSendmail option to be set to GroupWritableIncludeFileSafe.
* Actually, beginning with V8.10, it defaults to whichever of the following is found first to exist in the passwd file: mailnull, sendmail, or daemon. If none of those exists, the default becomes 1:1.
† Beginning with V8.9, the problem we describe is not possible with the default settings of the configuration file. However, if you enable the DontBlameSendmail option (§4.5.5 on page 168) with a setting of
GroupWritableForwardFileSafe, you override the default safety features and allow this dangerous behavior.
a The sendmail program sometimes lives in /usr/lib or in some other directory. If so, adjust this path accordingly.
b As of V8.12, sendmail is no longer set-user-id root, but is instead set-group-id smmsp or the like, and sendmail is root only when it is run by root. The older versions of sendmail might need to be set-group-id kmem for the load average to be checked on some systems.
c CERT (the Computing Emergency Response Team) and the sendmail document doc/op/op.me recommend that the queue directories be mode 0700 to prevent potential security breaches.
* V8 sendmail also tries to verify the connection itself with identd, if possible.
† In fact, old versions of the GNU emacs(1) mail reader delete those lines irrevocably.
* If that user ID is already in use, find an available number that is below nobody’s number, and use it instead.
* Actually, goaway also includes needexpnhelo and needvrfyhelo, but these are superseded by noexpn and novrfy, respectively.
* The /etc/shells file is also used by the ftpd daemon, and by other daemons, to screen users.
† This is an amalgamation of many vendor lists. See conf.c in the source distribution for details.
| DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |
|
 This article is excerpted from chapter four of sendmail, fourth edition, written by Bryan Costales, Claus Assmann, George Jansen and Gregory Shapiro (O'Reilly, 2007; ISBN: 0596510292). Check it out today at your favorite bookstore. Buy this book now.
|
|
