DefaultUser

Default delivery agent identity

All versions

The sendmail program can be run as a set-user-id root process (that is, with the permissions of the root, regardless of who runs it, the default prior to V8.12). It can also be run as an ordinary process by an ordinary (nonprivileged) user (that is, with root privilege only if it is run by root). When sendmail is run so that it has root privilege, it must give up that privilege under certain circumstances to remain secure.^[17]

^[17] V8 is more security-conscious than earlier versions, and presumes that it is still root even if it has given up that privilege.

When it can't set its identity to that of a real user, or when it should not (as when writing to files or running programs specified in the aliases file), sendmail sets its gid to that specified by the g option and its uid to that specified by the u option. For V8.7 and later, the DefaultUser option sets both the user and group identities.^[18]

^[18] In essence, the g and u options have been deprecated in favor of a single DefaultUser option, which sets both.

When sendmail is running with root privilege and when the F=S delivery agent flag (F=S) is not specified, sendmail changes its owner and group identity to that of an ordinary user in the following circumstances:

If the mail message is forwarded because of a user's ~/.forward file, and if delivery is via a delivery agent that has the F=o flag set (F=o), sendmail changes its owner and group identity to that of the user whose ~/.forward file was read.
Otherwise, if the mail message is being delivered through an aliases(5) file's :include: mailing list expansion, and if delivery is via a delivery agent that has the F=o flag set (F=o) or to a file, sendmail changes its owner and group identity to that of the owner of the file that was specified by the :include: line.
Otherwise, if the sender of the mail message is local and if delivery is via a delivery agent that does not have the F=o flag set (F=o) or to a file, sendmail changes its owner and group identity to that of the sender. If the sender is root, sendmail changes its owner and group identity to that specified by this DefaultUser option.
Otherwise, sendmail changes its owner and group identity to that specified by this DefaultUser option.

These user and group defaults are ignored if the delivery agent's F= equate includes the S flag (run as another specified user). Also, if the delivery agent's U= equate is set, it will be used instead of DefaultUser.

The forms of the DefaultUser option are as follows:

O DefaultUser=uid:gid            both, configuration file (V8.7 and later) 
-ODefaultUser=uid:gid            both, command line (V8.7 and later) 
define(`confDEF_USER_ID',`uid')  user, mc configuration (V8.7 and later) 
define(`confDEF_GROUP_ID',`gid') group, mc configuration (obsolete as of V8.7) 
define(`confDEF_USER_ID',`uid:gid')  both, mc configuration (V8.7 and later) 
Ouuid                            user, configuration file (deprecated) 
-ouuid                           user, command line (deprecated) 
Oggid                            group, configuration file (deprecated) 
-oggid                           group, command line (deprecated) 
Ouuid:gid                        both, configuration file (deprecated) 
-ouuid:gid                       both, command line (deprecated)

The arguments uid and gid are of type numeric. Beginning with V8 sendmail, user or group names can also be text (for example, nobody). Beginning with V8.7 sendmail, the user definition with DefaultUser can specify both user and group. For example:

O DefaultUser=daemon:nogroup

There can be arbitrary whitespace between the user (daemon), the colon, and the group (nogroup). If the group is missing, the value that is assigned to it varies depending on the nature of the uid specification. If the uid is a name, the group becomes the default group of that user as defined in the passwd(5) file. If the uid is numeric, the value in the group is not changed. For example, consider this passwd(5) file entry, where the group 12 corresponds to the group name bumgroup:

bogus:*:10:12::/:

Then all the following are equivalent:

O DefaultUser=bogus
O DefaultUser=bogus:12
O DefaultUser=bogus:bumgroup
O DefaultUser=10:12

Under pre-8.7 sendmail a missing argument caused the value 0 to be used for the respective user or group identities. If an entire u or g option was missing, the default value became 1 (usually daemon). Under V8.7 and later sendmail, the default is to look up each of the following usernames, and to use the first one found to exist:

mailnull
sendmail
daemon

If none of these is found, the default becomes 1:1. In NFS-mounted environments, safe values for these options are often one or more less than those of the user nobody and the group nogroup.^[19]

^[19] Naturally you should check first to see if any other software is using the identity you chose. Many software packages, for example, presume that one less than nobody is available for use.

For maximum security, you should create a special pseudo-user and assign that pseudo-user to this option. (See Section 10.8.2.1 for a more detailed description of this approach.)

The g, u, and DefaultUser options are not safe. If specified from the command line, they can cause sendmail to relinquish its special privileges.