ProblemYou need to apply patches to close known sendmail security holes. SolutionSubscribe to the sendmail-announce mailing list to receive notification of important security patches by sending mail to majordomo@lists.sendmail.org that contains the following line: subscribe sendmail-announce Download the patch from ftp.sendmail.org or from www.sendmail.org . Use the patch command to apply a security patch to the sendmail source code. Recompile and reinstall sendmail, as described in Recipe 1.2, using the patched source code. Restart sendmail. For example: # kill -HUP `head -1 /var/run/sendmail.pid` DiscussionFixing a problem with a source code patch is very similar to installing a completely new sendmail source code distribution. In both cases:
The biggest differences between the two approaches to closing a security hole are:
The approach you use depends on your personal preferences and the nature of the sendmail currently installed on your system. If you use a version of sendmail provided by a vendor that has some special features, patching may be a way to fix a security problem while retaining those features. Of course there is no guarantee. If the vendor has extensively modified the sendmail source, the patch may not work. If you really are dependent on a vendor supplied version of sendmail, the best approach is to go directly to the vendor for the security fix. For example, for a Red Hat Linux system, you can obtain critical security fixes directly from the Red Hat web site. Figure 10-1 shows a web page at redhat.com that points to the RPM files containing a sendmail security fix. Figure 10-1. sendmail fixes available from Red HatThis chapter, like the rest of this book, uses the sendmail source code distribution instead of a vendor's copy of sendmail. In particular, sendmail 8.12.9 is used throughout this book because it was the latest version of sendmail available when the bulk of this book was written. The following example shows sendmail 8.12.9 being patched to fix a critical security problem. Fixes for the sendmail source code distribution can be obtained directly from sendmail.org . This example begins by downloading the patch from the pub/sendmail directory on ftp.sendmail.org . The source code patch file is parse8.359.2.8 and the signature file for the patch file is parse8.359.2.8 .sig : # ftp ftp.sendmail.org Connected to ftp.sendmail.org (209.246.26.22). 220 services.sendmail.org FTP server (Version 6.00LS) ready. Name (ftp.sendmail.org:WIN): anonymous 331 Guest login ok, send your email address as password. Password: win@wrotethebook.com 230 Guest login ok, access restrictions apply. Remote system type is UNIX. Using binary mode to transfer files. ftp> cd pub/sendmail 250 CWD command successful. ftp> get parse8.359.2.8 local: parse8.359.2.8 remote: parse8.359.2.8 227 Entering Passive Mode (209,246,26,22,196,166) 150 Opening BINARY mode data connection for 'parse8.359.2.8' (346 bytes). 226 Transfer complete. 346 bytes received in 0.000351 secs (9.6e+02 Kbytes/sec) ftp> get parse8.359.2.8.sig local: parse8.359.2.8.sig remote: parse8.359.2.8.sig 227 Entering Passive Mode (209,246,26,22,196,171) 150 Opening BINARY mode data connection for 'parse8.359.2.8.sig' (152 bytes). 226 Transfer complete. 152 bytes received in 0.000672 secs (2.2e+02 Kbytes/sec) ftp> quit 221 Goodbye. Verify the patch using the signature file downloaded from sendmail.org : # gpg --verify parse8.359.2.8.sig parse8.359.2.8 gpg: Signature made Thu 18 Sep 2003 10:17:20 AM EDT using RSA key ID 396F0789 gpg: Good signature from "Sendmail Signing Key/2003 <sendmail@Sendmail.ORG>" gpg: checking the trustdb gpg: checking at depth 0 signed=1 ot(-/q/n/m/f/u)=0/0/0/0/0/1 gpg: checking at depth 1 signed=0 ot(-/q/n/m/f/u)=1/0/0/0/0/ To verify the signature, you must have previously downloaded the PGP keys from sendmail.org and added those keys to your key ring. Downloading the PGP keys and adding them to the key ring is shown in Recipe 1.1. Apply the source code patch: [2]
# cd /usr/local/src/sendmail-8.12.9/sendmail # patch < /usr/local/src/patches/parse8.359.2.8 patching file parseaddr.c After the source code is patched, it must be recompiled and reinstalled, as described in Recipe 1.2. Then the sendmail daemon must be restarted to ensure that it is using the patched software. Installing a completely new sendmail distribution is an alternative to patching the old one. The same fix installed by patching sendmail 8.12.9 could have been made by installing sendmail 8.12.10. See AlsoRecipe 10.3 provides an alternative way to fix a security hole. |