As a general rule, programs should never trust their environment. Such trust can lead to exploitation that has grave security consequences. To illustrate, consider the often misused SunOS LD_LIBRARY_PATH environment variable. Programs that use shared libraries look at this variable to determine which shared library routines they should use and in what order they should load them. One form of attack against non-set-user-id programs (such as some delivery agents) is to modify the LD_LIBRARY_PATH variable (as in a user’s ~/.forward file) to introduce Trojan horse library routines in place of the real system’s library routines. Certainly, sendmail should not pass such variables to its delivery agents.
To improve security, early versions of V8
sendmail began deleting variables from its
environment before passing them to its delivery agents. It removed
the IFS variable to protect Bourne shell-script agents and all
variables beginning with
_" to protect
all delivery agents from shared library attacks.
Beginning with V8.7, sendmail now takes the
opposite approach. Instead of trying to second-guess attackers, it
instead constructs the delivery agent environment from scratch. In
this scheme it defines the AGENT variable as
sendmail, and the TZ variable as is appropriate
TimeZoneSpec option, TimeZoneSpec). Also, in support of operating systems that require them, it passes the ISP and SYSTYPE variables from its own environment to the delivery agent’s environment. ...