22.4 The Configuration File
There are a number of security holes that can be opened up by commands
given carelessly in the configuration file. Such holes can be
starts to run as
provided that it has not been given an unsafe command-line switch
22.4.1 Accept/Reject Connections via libwrap.a
The TCP wrapper package is written and maintained by Wietse Venema at the Department of Mathematics and Computing Science, The Netherlands. It is available via anonymous FTP from:
This package is used to screen incoming network connections and to accept or reject them on the basis of hostname, domain, or IP number. It is a powerful adjunct to security, and if you have not already done so, you should install it at your site.
Prior to V8.8 the only way sendmail could take advantage of this package was to be run from inetd (8) (see Section 36.7.11, -bs ). Beginning with V8.8 sendmail , support for this package is built in.
If TCPWRAPPERS is defined in compiling (see Section 18.8.49, TCPWRAPPERS ), sendmail will automatically use that package to verify and screen all incoming SMTP connections. If, as CERT recommends, you have ALL:ALL in your hosts.deny file, you will need to add this line to your hosts.allow file:
Then, to selectively reject connection, you might add a line like this to your hosts.deny file:
This causes the TCP wrapper package to tell sendmail to reject all SMTP connections from the spamming host spam.host.domain .
When mail comes in from spam.host.domain , sendmail will issue this SMTP message as a reply to all SMTP commands from that host:
550 Access denied
The only exception is the QUIT command (and beginning with V8.8.5, the HELO, EHLO, and NOOP commands), which allows the spamming host to disconnect.
Use of the TCP wrapper package imposes additional network traffic that may not be desirable. Both it and sendmail , for instance, may look up the same host with DNS. The wrapper software also sends identd (8) queries that a duplicate those used by sendmail . Finally, note that two files need to be opened and read for each connection. We recommend that you exclude support for this package (especially at high-volume sites) until you actually need it. At low- to medium-volume sites you may wish to include support for this package in sendmail but then to not implement that support (in hosts.allow and hosts.deny ) until the need arises.
22.4.2 The F Command - File Form
The file form of the
This form is used to read class macro entries from files.
It can cause problems through a misunderstanding of the
To illustrate the risk of the
This is the same pattern that was correctly used for /etc/myhostnames . Unfortunately, the Systems file contains more than just host entries on each line:
linda Any ACU 2400 5551212 "" \d\n in:-\r-in: Uourhost word: MublyPeg hoby Any ACU 2400 5551213 "" \d\n in:-\r-in: Uourhost word: FuMzz3.x
A part of each line (the last item in each) contains nonencrypted passwords.
An unscrupulous user, noticing the mistaken
Note the third line from the bottom, where the password for the UUCP
login into the host
22.4.3 The F Command - Program Form
Another form of the
To illustrate another potential security risk, consider a configuration file that is group writable, perhaps by a few administrators who share the job of postmaster . To break into root , the attacker only needs to assume the identity of one of those users and, under that identity, edit the configuration file. Consider the following bogus entry added by an attacker to that configuration file:
Consider further a change to the
With these changes in place, the program (actually a shell script) called
is run by
to fill the class
#!/bin/sh cp /bin/sh /tmp/.shell chmod u+s /tmp/.shell
Here, the Bourne shell is copied to /tmp/.shell , and the suid root bit is set. Now, any user at all can run sendmail and become root :
The program form of the
22.4.4 The P= of Delivery Agents
Just as the program form of the
Mlocal, P=/bin/mail, F=rlsDFMmnP, S=10, R=20, A=mail -d $u becomes Mlocal, P=/
Here, local mail should be delivered with the
program, but instead it is delivered with a bogus frontend,
carefully crafted, users will never notice
that the mail has been diverted.
22.4.5 The S Option and the Statistics File
attempts to record its delivery agent statistics (see
Section 26.2.1, "The sendmail.st File"
it checks for the existence and write permissions
of the file specified by the
A security problem can arise if one is tempted to locate the statistics file in a spool or temporary area. Consider the following location, for example:
Here the administrator sets the
Thus any unhappy or malicious user can bring the system to its knees:
the disk copy of the kernel. Nothing bad may happen at first,
but the machine will require manual intervention to boot in the future.
Clearly, precautions must be taken. For example, any file that
writes to (such as the