A number of security problems can be created by commands given
carelessly in the configuration file. Such problems can be serious
because sendmail starts to run as
root, provided that it has not been given an
unsafe command-line switch (such as
-C; see -C) or an unsafe option (Section 24.2.4). It can continue as root
until it delivers mail, whereupon it generally changes its identity
to that of an ordinary user. When sendmail reads
its configuration file, it can do so while it is still
root. Consequently, as we will illustrate, when
sendmail is improperly configured, it might be
able to read and overwrite any file.
The file form of the
F configuration command (Section 22.1.2) can be used to read sensitive information.
That command looks like this in the configuration file:
This form is used to read class macro entries from files. It can
cause problems through a misunderstanding of the
/path is the name of the file, and the
pat is a pattern to be used by
scanf(3) (Section 188.8.131.52).
To illustrate the risk of the
consider the following configuration file entry:
F command reads only the first
whitespace-delimited word from each line of the file. But if the
pat is specified, the
F command instead reads one or more words from
each line based on the nature of the pattern. The pattern is used by
scanf(3) to extract words, and the specific ...