Permissions for :include:
The sendmail program doesn’t
always run as root. When
delivering mail, it often changes its identity into
that of a nonprivileged user. When delivering to an
:include:
mailing list, for example, it can change its
identity to that of the owner of the list. This,
too, can pose security risks if permissions are not
appropriate.[73] Consider the following
aliases file entry:
newprogs: :include:/usr/local/lists/proglist
Here, notification of new programs is mailed to the
alias newprogs.
The list of recipients is taken from the following
file:
-rw-rw-r— 2 bin prog 704 Sep 21 14:46 /usr/local/lists/proglist
Because this file is owned by bin, sendmail changes its identity to bin when delivering to the list of recipients. Unfortunately, the file is also writable by the group prog. Anyone in the group prog can add a recipient to that list, including one of the form:
|/tmp/x.sh
This tells sendmail to deliver a copy of the message by running the program (a shell script) /tmp/x.sh. The sendmail program (which is still running as bin) executes that program as bin. Further, suppose the program /tmp/x.sh contains the following:
#!/bin/sh cp /bin/sh /tmp/sh chmod u+s /tmp/sh cat - > /dev/null exit 0
This causes bin first to make a
copy of the Bourne shell in
/tmp (a copy that will be
owned by bin), and then to set
the set-user-id bit on that
copy (the u+s):
-rwsr-xr-x 1 bin 64668 Sep 22 07:38 /tmp/sh
The script then throws away the incoming mail message and exits with a zero value ...
Get sendmail, 4th Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
