sendmail, 4th Edition by Bryan Costales, Claus Assmann, George Jansen, Gregory Neil Shapiro

When sendmail attempts to record its delivery agent statistics (The statistics File on page 365), it checks for the existence and write permissions of the file specified by the StatusFile option (StatusFile on page 1095). Prior to V8.9, sendmail did not care where that file lived or what permissions it had—only that it existed.

A security problem could arise if one is tempted to locate the statistics file in a spool or temporary area. Consider the following location, for example:

define(`STATUS_FILE',`/usr/tmp/statistics')

Here, the administrator sets the StatusFile option to locate the statistics file in the /usr/tmp directory. The intention is that the file can be easily created by anyone who wishes to gather statistics, then removed. Unfortunately, the /usr/tmp directory is usually world-writable.

Thus, prior to V8.9, any unhappy or malicious user could bring the system to its knees:

% cd /usr/tmp
% ln -s /vmunix statistics

Here, sendmail clobbers the disk copy of the kernel. Nothing bad might happen at first,^[70] but the machine will require manual intervention to boot in the future.^[71] Clearly, precautions must be taken. For example, any file that sendmail writes to (such as the StatusFile option statistics file or the aliases database files) must be writable only by root and live in a directory, every path component of which is writable only by root.