UnsafeGroupWrites

Check unsafe group permissions Deprecated

In processing a ~/.forward file or a :include: file, a question arises when group- or world-write permission is enabled. Should sendmail trust the addresses found in such files? Clearly the answer is “no” when world-write permission is enabled. But what of group-write permission?

Beginning with V8.8 sendmail, the decision of whether to trust group-write permission is left to the UnsafeGroupWrites option, which looks like this:

O UnsafeGroupWrites=boolconfiguration file (V8.8 and later)
-OUnsafeGroupWrites=boolcommand line (V8.8 and later)
define(`confUNSAFE_GROUP_WRITES',bool)   ← mc configuration (V8.7 and later)

The optional argument bool, when missing, defaults to true (check for unsafe group-write permission). If this option is missing entirely, it defaults to false (don’t check for unsafe group-write permission).

With this option set to true, a ~/.forward file or a :include: file with group or world writability will result in one of these four errors being logged:

filename: group writable forward file, marked unsafe
filename: world writable forward file, marked unsafe
filename: group writable include file, marked unsafe
filename: world writable include file, marked unsafe

Any address in the file that is a file or a program will result in a bounce and this message:

Address address is unsafe for mailing to programs
Address address is unsafe for mailing to files

Beginning with V8.10, sendmail uses this option only to set the ...

Get sendmail, 4th Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.