sendmail, 4th Edition by Bryan Costales, Claus Assmann, George Jansen, Gregory Neil Shapiro

Just as the program form of the F command can pose a security risk if the configuration file is poorly protected, so can the M delivery agent definition. Specifically, the P= equate for a delivery agent (P= on page 748) can be modified to run a bogus program that gives away root privilege. Consider the following modification to the local delivery agent:

Mlocal, P=/bin/mail, F=rlsDFMmnP, S=10, R=20, A=mail -d $u
            ↓
becomes
            ↓
Mlocal, P=/tmp/mail, U=0,F=SrlsDFMmnP,  S=10, R=20, A=mail -d $u
                ↑       ↑
note           note

Here, local mail should be delivered with the /bin/mail program, but instead it is delivered with a bogus frontend, /tmp/mail. If /tmp/mail is carefully crafted, users will never notice that the mail has been diverted. The S flag in the F= equate (F=S on page 780) causes sendmail to retain its default identity when executing the bogus /tmp/mail. The U=0 equate (U= on page 755) causes that default to become the identity of root.

Delivery agent P= equates must be protected by protecting the configuration file. As an additional precaution, never use relative pathnames in the P= equate.

The F=S and U=0 are especially dangerous. They should never appear in your configuration file unless you have deliberately placed them there and are 100% certain of their effect. For example, the local_lmtp feature (FEATURE(local_lmtp) on page 625) correctly sets them for the local delivery agent because the mail.local program is no longer set-user-id root.