DontBlameSendmail and Enhanced File Security

Beginning with version 8.9.0, sendmail has tightened the rules used for opening files. Sendmail now checks the modes and ownership of the files and the directory path leading up to that file to prevent users from taking advantage of overly permissive modes on directories and files.

During your migration to sendmail 8.9, you will need to fix up any permissions which would be considered unsafe such as non-root owned directories containing maps or group writable directories and files. In general, directories which sendmail reads from should be owned by root unless the RunAsUser option is set. There are exceptions to this rule such as user .forward files.

You may have to tweak your environment to make it safer for sendmail to run. If you find that some of the safeties in sendmail are too restrictive for your environment, they can be turned off by setting the option DontBlameSendmail. The option is appropriately named as sendmail is not to be blamed for problems resulting from unsafe permissions on directories and files.

Checking your system for these unsafe files is simply a matter of performing a few commands to see if they report any problems. For example, if rebuilding the aliases file with:

# newaliases -v

gives messages such as:

WARNING: writable directory /etc
WARNING: writable directory /usr/spool/mqueue

then the directories listed have inappropriate write permissions and should be secured to avoid various possible security attacks. Although somewhat verbose, a good test to make sure sendmail is satisfied with the permissions on your database maps, class files, and aliases file is the command:

# sendmail -v -d44.4 -bv postmaster

This will output the file safety checks as they are done and the results of each one.

The biggest surprise is likely to come from .forward and :include: files in unsafe directory paths (directory paths which are group or world writable). This is no longer allowed. This would mean that if user joe's home directory was writable by group staff, sendmail would not use his .forward file. This behavior can be altered, at the possible expense of system security, by setting the DontBlameSendmail option. For example, to allow forward files in group writable directories:

O DontBlameSendmail=forwardfileingroupwritabledirpath

Or to allow them in both group and world writable directories:

O DontBlameSendmail=forwardfileinunsafedirpath

Items from these unsafe .forward and :include: files will be marked as unsafe addresses -- the items can not be deliveries to files or programs. This behavior can also be altered via DontBlameSendmail:

O DontBlameSendmail=forwardfileinunsafedirpath, forwardfileinunsafedirpathsafe

The first flag allows the forward file to be read, the second allows the items in the file to be marked as safe for file and program delivery.

Other files affected by this strengthened security include class files (i.e. Fw /etc/, persistent host status files, and the files specified by the ErrorHeader and HelpFile options. Similar DontBlameSendmail flags are available for these files.

The DontBlameSendmail option takes one or more names that disable checks. In the descriptions that follow, "unsafe directory" means a directory that is writable by anyone other than the owner. The values are:

Safe No special handling.
AssumeSafeChown Assume that the chown system call is restricted to root. Since some versions of UNIX permit regular users to give away their files to other users on some filesystems, sendmail often cannot assume that a given file was created by the owner, particularly when it is in a writable directory. You can set this flag if you know that file giveaway is restricted on your system.
ClassFileInUnsafeDirPath When reading class files (using the F line in the configuration file), allow files that are in unsafe directories.
ErrorHeaderInUnsafeDirPath Allow the file named in the ErrorHeader option to be in an unsafe directory.
GroupWritableDirPathSafe Change the definition of "unsafe directory" to consider group-writable directories to be safe. World-writable directories are always unsafe.
GroupWritableForwardFileSafe Accept group-writable .forward files.
GroupWritableIncludeFileSafe Accept group-writable :include: files.
GroupWritableAliasFile Allow group-writable alias files.
HelpFileInUnsafeDirPath Allow the file named in the HelpFile option to be in an unsafe directory.
WorldWritableAliasFile Accept world-writable alias files.
ForwardFileInGroupWritableDirPath Allow .forward files in group writable directories.
IncludeFileInGroupWritableDirPath Allow :include: files in group writable directories.
ForwardFileInUnsafeDirPath Allow .forward files in unsafe directories.
IncludeFileInUnsafeDirPath Allow :include: files in unsafe directories.
ForwardFileInUnsafeDirPathSafe Allow a .forward file that is in an unsafe directory to include references to program and files.
IncludeFileInUnsafeDirPathSafe Allow a :include: file that is in an unsafe directory to include references to program and files.
MapInUnsafeDirPath Allow maps (e.g., hash, btree, and dbm files) in unsafe directories.
LinkedAliasFileInWritableDir Allow an alias file that is a link in a writable directory.
LinkedClassFileInWritableDir Allow class files that are links in writable directories.
LinkedForwardFileInWritableDir Allow .forward files that are links in writable directories.
LinkedIncludeFileInWritableDir Allow :include: files that are links in writable directories.
LinkedMapInWritableDir Allow map files that are links in writable directories.
LinkedServiceSwitchFileInWritableDir Allow the service switch file to be a link even if the directory is writable.
FileDeliveryToHardLink Allow delivery to files that are hard links.
FileDeliveryToSymLink Allow delivery to files that are symbolic links.
RunProgramInUnsafeDirPath Go ahead and run programs that are in writable directories.
RunWritableProgram Go ahead and run programs that are group- or world-writable.
WriteMapToHardLink Allow writes to maps that are hard links.
WriteMapToSymLink Allow writes to maps that are symbolic links.
WriteStatsToHardLink Allow the status file to be a hard link.
WriteStatsToSymLink Allow the status file to be a symbolic link.