Since pre-V8.12 sendmail is
often installed to run as a set-user-id root process, it is a prime target for intrusion.*
The ???Internet worm,??? for example, used a flaw in old versions of sendmail as one way
to gain entry to thousands of machines.?? If sendmail is not properly installed,
improper file permissions can be used to trick the system into giving away root
privilege.
In this chapter, we present several ways to protect your site from intrusion via sendmail.
Most of these are just good common sense, and the experienced system administrator
might be offended that we state the obvious. But not all system
administrators are experienced, and not all who administer systems are system
administrators. If you fall into the latter category, you might wish to keep a good,
general Unix reference by your side to better appreciate our suggestions.
4.1 Why root?
One common complaint about sendmail centers on the fact that it is often run, setuser-
id root (that is, run as root no matter who actually runs it).??? Beginning with
V8.12, the default is to run sendmail as a user other than root. The listening daemon
needs to be root, but sendmail itself no longer needs to be set-user-id root.
* The default beginning with V8.12 is to install sendmail as a non-set-user-id program that operates as root only
if it is run by root.
?? That flaw has been eliminated??”wrongly by some vendors who turned all debugging completely off, correctly
by most who simply disabled SMTP debugging.
Pages:
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301