The sendmail program can be run as a set- user -id root process (that is, with the permissions of the root , regardless of who runs it, the default prior to V8.12). It can also be run as an ordinary process by an ordinary (nonprivileged) user (that is, with root privilege only if it is run by root ). When sendmail is run so that it has root privilege, it must give up that privilege under certain circumstances to remain secure. [17]
When it can't set its identity to that of a real user, or when it should not (as when writing to files or running programs specified in the aliases file), sendmail sets its gid to that specified by the g option and its uid to that specified by the u option. For V8.7 and later, the DefaultUser option sets both the user and group identities. [18]
When sendmail is running with root privilege and when the F=S delivery agent flag (F=S) is not specified, sendmail changes its owner and group identity to that of an ordinary user in the following circumstances:
These user and group defaults are ignored if the delivery agent's F= equate includes the S flag (run as another specified user). Also, if the delivery agent's U= equate is set, it will be used instead of DefaultUser . The forms of the DefaultUser option are as follows : O DefaultUser= uid:gid both, configuration file (V8.7 and later) -ODefaultUser= uid:gid both, command line (V8.7 and later) define(`confDEF_USER_ID',` uid') user, mc configuration (V8.7 and later) define(`confDEF_GROUP_ID',` gid') group, mc configuration (obsolete as of V8.7) define(`confDEF_USER_ID',` uid:gid') both, mc configuration (V8.7 and later) Ou uid user, configuration file (deprecated) -ou uid user, command line (deprecated) Og gid group, configuration file (deprecated) -og gid group, command line (deprecated) Ou uid:gid both, configuration file (deprecated) -ou uid:gid both, command line (deprecated) The arguments uid and gid are of type numeric . Beginning with V8 sendmail , user or group names can also be text (for example, nobody ). Beginning with V8.7 sendmail , the user definition with DefaultUser can specify both user and group. For example: O DefaultUser=daemon:nogroup There can be arbitrary whitespace between the user ( daemon ), the colon , and the group ( nogroup ). If the group is missing, the value that is assigned to it varies depending on the nature of the uid specification. If the uid is a name , the group becomes the default group of that user as defined in the passwd (5) file. If the uid is numeric, the value in the group is not changed. For example, consider this passwd (5) file entry, where the group 12 corresponds to the group name bumgroup : bogus:*:10:12::/: Then all the following are equivalent: O DefaultUser=bogus O DefaultUser=bogus:12 O DefaultUser=bogus:bumgroup O DefaultUser=10:12 Under pre-8.7 sendmail a missing argument caused the value 0 to be used for the respective user or group identities. If an entire u or g option was missing, the default value became 1 (usually daemon ). Under V8.7 and later sendmail , the default is to look up each of the following usernames, and to use the first one found to exist: mailnull sendmail daemon If none of these is found, the default becomes 1:1 . In NFS-mounted environments, safe values for these options are often one or more less than those of the user nobody and the group nogroup . [19]
For maximum security, you should create a special pseudo-user and assign that pseudo-user to this option. (See Section 10.8.2.1 for a more detailed description of this approach.) The g , u , and DefaultUser options are not safe. If specified from the command line, they can cause sendmail to relinquish its special privileges. |