Beginning with V8.10, sendmail has two different types of trusted users. There are the traditional trusted users defined by the T configuration command (and the class $=t), who can set the sender address using the -f command-line switch (-f) without generating warnings, and run newaliases.

A separate TrustedUser option sets the identity of the user who can administer sendmail. If it is set, this user will own database-map files (such as aliases) and the control socket (ControlSocketName).

The TrustedUser option is set like this:

O TrustedUser=user                  configuration file (V8.10 and later) 
-OTrustedUser=user                  command line (V8.10 and later) 
define(`confTRUSTED_USER',`user')   mc configuration (V8.10 and later) 

The user is either a user login name (in which case it will be looked up with the appropriate passwd technique), or an integer (in which case it will be used as is as the uid for this user). If the user is an unknown or is omitted, an error will result:

readcf: option TrustedUser: unknown user bad name

There is no default for this option, and the mc configuration technique leaves it undefined by default. See Section 10.8.2.3 for a more complete discussion of this option.

The TrustedUser option is not safe. If it is specified from the command line, it can cause sendmail to relinquish its special privileges.