The F Command—Program Form
Another form of the F (File) configuration command is the
program form, which looks like this:
FX|/pathHere, the | prefix
to the /path tells
sendmail that
/path is the name of a
program to run. The output produced by the program
is appended to the class, here
X.
To illustrate another potential security risk, consider a configuration file that is group-writable, perhaps by a few administrators who share the job of postmaster. To break into root, the attacker needs to assume the identity of only one of those users and, under that identity, edit the configuration file. Consider the following bogus entry added by an attacker to that configuration file:
FX|/tmp/.sh
Consider further a change to the DefaultUser option
(DefaultUser on page 1000) that
causes the default uid and
gid to become those of
root:
O DefaultUser=0:0
With these changes in place, the program (actually a
shell script) called /tmp/.sh
is run by sendmail to fill the
class X with new
values. All this seems harmless enough, but suppose
/tmp/.sh does the
unexpected:
#!/bin/sh cp /bin/sh /tmp/.shell chmod u+s /tmp/.shell
Here, the Bourne shell is copied to /tmp/.shell, and the set-user-id root bit is set. Now, any user at all can run sendmail and become root:
%ls -l /tmp/.shell/tmp/.shell not found %/usr/lib/sendmail -bt < /dev/null%ls -l /tmp/.shell-rwsr-xr-x 1 root 122880 Sep 24 13:20 /tmp/.shell
The program form of the F configuration command can clearly be
dangerous. The sendmail configuration file ...
Get sendmail, 4th Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
