HREF="http://www.sendmail.org/tips/DontBlameSendmail.html">
DontBlameSendmail
and Enhanced File SecurityBeginning with version 8.9.0, sendmail has tightened the rules used for opening files. Sendmail now checks the modes and ownership of the files and the directory path leading up to that file to prevent users from taking advantage of overly permissive modes on directories and files.
During your migration to sendmail 8.9, you will need to fix up any
permissions which would be considered unsafe such as non-root owned
directories containing maps or group writable directories and files. In
general, directories which sendmail reads from should be owned by
root unless the RunAsUser
option is set. There are exceptions
to this rule such as user .forward
files.
You may have to tweak your environment to make it safer for sendmail to
run. If you find that some of the safeties in sendmail are too restrictive
for your environment, they can be turned off by setting the option
DontBlameSendmail
. The option is appropriately named as
sendmail is not to be blamed for problems resulting from unsafe permissions
on directories and files.
Checking your system for these unsafe files is simply a matter of performing a few commands to see if they report any problems. For example, if rebuilding the aliases file with:
# newaliases -v
gives messages such as:
WARNING: writable directory /etc
WARNING: writable directory /usr/spool/mqueue
then the directories listed have inappropriate write permissions and should be secured to avoid various possible security attacks. Although somewhat verbose, a good test to make sure sendmail is satisfied with the permissions on your database maps, class files, and aliases file is the command:
# sendmail -v -d44.4 -bv postmaster
This will output the file safety checks as they are done and the results of each one.
The biggest surprise is likely to come from .forward
and
:include:
files in unsafe directory paths (directory paths
which are group or world writable). This is no longer allowed. This would
mean that if user joe's home directory was writable by group staff,
sendmail would not use his .forward
file. This behavior can
be altered, at the possible expense of system security, by setting the
DontBlameSendmail
option. For example, to allow forward files
in group writable directories:
O DontBlameSendmail=forwardfileingroupwritabledirpath
Or to allow them in both group and world writable directories:
O DontBlameSendmail=forwardfileinunsafedirpath
Items from these unsafe .forward
and :include:
files will be marked as unsafe addresses -- the items can not be deliveries
to files or programs. This behavior can also be altered via
DontBlameSendmail
:
O DontBlameSendmail=forwardfileinunsafedirpath, forwardfileinunsafedirpathsafe
The first flag allows the forward file to be read, the second allows the items in the file to be marked as safe for file and program delivery.
Other files affected by this strengthened security include class files
(i.e. Fw /etc/sendmail.cw
), persistent host status files, and
the files specified by the ErrorHeader
and
HelpFile
options. Similar DontBlameSendmail
flags are available for these files.
The DontBlameSendmail
option takes one or more names that
disable checks. In the descriptions that follow, "unsafe directory"
means a directory that is writable by anyone other than the owner. The
values are: