Permissions for ~/.forward Files

The ~/.forward file can pose a security risk to individual users. There is a higher degree of risk if the user is root or one of the semiprivileged users (such as bin). Because the ~/.forward file is like an individual mailing list (:include:) for the user, risk can be encountered if that file is writable by anyone but the user.[75] Consider the following, for example:

drwxr-xr-x 50 george guest        3072 Sep 27 09:19 /home/george/
-rw-rw-r—  1 george guest          62 Sep 17 09:49 /home/george/.forward

Here, the user george’s ~/.forward file is writable by the group guest. Anyone in group guest can edit george’s ~/.forward file, possibly placing something such as this into it:

\george
|"cp /bin/sh /home/george/.x; chmod u+s /home/george/.x"

Now all the attacker has to do is send george mail to create a set-user-id george shell. Then, by executing /home/george/.x, the attacker becomes george.

The semiprivileged users such as bin, and root in particular, should never have ~/.forward files. Instead, they should forward their mail by means of the aliases file directly.

User ~/.forward files must be writable only by the owning user. Similarly, user home directories must live in a directory that is owned and writable only by root, and must themselves be owned and writable only by the user.

Some users, such as the pseudouser uucp, have home directories that must be world-writable for software to work properly. If that software is not needed (if a machine, for example, doesn’t ...

Get sendmail, 4th Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.