Sendmail, 3rd Edition by Bryan Costales

As a general rule, programs should never trust their environment. Such trust can lead to exploitation that has grave security consequences. To illustrate, consider the often misused SunOS LD_LIBRARY_PATH environment variable. Programs that use shared libraries look at this variable to determine which shared library routines they should use and in what order they should load them. One form of attack against non-set-user-id programs (such as some delivery agents) is to modify the LD_LIBRARY_PATH variable (as in a user’s ~/.forward file) to introduce Trojan horse library routines in place of the real system’s library routines. Certainly, sendmail should not pass such variables to its delivery agents.

To improve security, early versions of V8 sendmail began deleting variables from its environment before passing them to its delivery agents. It removed the IFS variable to protect Bourne shell-script agents and all variables beginning with “LD_" to protect all delivery agents from shared library attacks.

Beginning with V8.7, sendmail now takes the opposite approach. Instead of trying to second-guess attackers, it instead constructs the delivery agent environment from scratch. In this scheme it defines the AGENT variable as sendmail, and the TZ variable as is appropriate (see the TimeZoneSpec option, TimeZoneSpec). Also, in support of operating systems that require them, it passes the ISP and SYSTYPE variables from its own environment to the delivery agent’s environment. ...