Recipe 10.10 Running sendmail Non-Set-User-ID root

Recipe 10.10 Running sendmail Non-Set- User -ID root

Problem

You wish to reduce the amount of time that sendmail runs as a root process.

Solution

Upgrade to the latest release of sendmail 8.12. Create an entry for the user smmsp in the /etc/passwd file and an entry for the group smmsp in the /etc/group file. Install and compile the new sendmail distribution as described in Recipe 1.2.

Discussion

sendmail runs as a daemon or an interactive process. As a daemon, sendmail is used to listen on network ports or to periodically check the mail queue. sendmail can also be launched as an interactive process by a user's mail program or by the user from the command line to submit a message to the message transmission agent (MTA). A daemon that binds a listener to a privileged network port must run as root , but many of sendmail's other duties can be done without root privileges. In particular, when sendmail is used as a message submission program (MSP) launched by a user to send mail to the MTA, it does not need root privilege. Recipe 1.2 describes a configuration that ensures that sendmail has root privilege only when necessary.

The decision to run the sendmail program as set-user-ID root must be taken early in the installation process. Beginning with sendmail 8.12, the default is to run the sendmail program as set-group-ID smmsp , as a simple ls command shows:

 $  ls -l /usr/sbin/sendmail  -r-xr-sr-x    1 root     smmsp      615263 Jan 24 16:13 /usr/sbin/sendmail

To force sendmail to install the sendmail program as set-user-ID root , which would reduce security, run Build install-set-user-id instead of Build install during the initial installation of the sendmail distribution. Of course, we don't recommend this.

The set-group-ID smmsp configuration is a definite security improvement over earlier versions of sendmail because users no longer use a set-user-ID root program to send mail. Instead, the sendmail process launched by the user from the command line retains the user's UID. The GID of the process is set to smmsp in order to allow the process to queue mail in the case of a delivery failure.

In earlier versions of sendmail, the program always ran set-user-ID root . However, sendmail must run as root only when it is run as a daemon listening for inbound mail. root privilege is not necessary for sending outbound mail.

It is necessary, however, to create a separate mail queue that is owned by the user smmsp for those times when sendmail is running as a non- root process. That queue, named /var/spool/clientmqueue , is created by the Build install command during the installation of the sendmail distribution, as this snippet of messages from an installation shows:

 You must have setup a new user smmsp and a new group smmsp as explained in sendmail/SECURITY. mkdir -p /var/spool/clientmqueue chown smmsp /var/spool/clientmqueue chgrp smmsp /var/spool/clientmqueue chmod 0770 /var/spool/clientmqueue install -c -o root -g smmsp -m 2555 sendmail /usr/sbin

In addition to its own queue, MSP sendmail has its own configuration file. That file is always called submit.cf and is built from the submit.mc file. The submit.mc file delivered with the sendmail 8.12.9 distribution contains the following lines:

 VERSIONID(`$Id: ch10.xml,v 1.6 2004/01/05 18:48:33 chodacki Exp $') define(`confCF_VERSION', `Submit') define(`_OSTYPE  _',`')dnl dirty hack to keep proto.m4 from complaining define(`_USE_DECNET_SYNTAX_', `1')dnl support DECnet define(`confTIME_ZONE', `USE_TZ') define(`confDONT_INIT_GROUPS', `True') dnl dnl If you use IPv6 only, change [127.0.0.1] to [IPv6:::1] FEATURE(`msp', `[127.0.0.1]')

The VERSIONID macro defines version information for the .mc file. The confCF_VERSION define specifies version information for the .cf file. By default, the .cf file version information, which is stored in the $Z macro, matches the sendmail version number. In this example, that would be 8.12.9. The confCF_VERSION define adds the string "Submit" to that information, as this grep shows:

 #  grep '^DZ' submit.cf  DZ8.12.9/Submit

The next two lines define internal proto.m4 variables in ways that are designed to trick the system into doing something a little out of the ordinary. The first defines the _OSTYPE_ variable. Normally this variable is defined by the OSTYPE macro. If this variable does not exist, the error "No system type defined (use OSTYPE macro)" is displayed and the m4 process terminates. Setting the variable directly tricks the system into continuing on without an OSTYPE macro.

The _USE_DECNET_SYNTAX_ define allows DECnet style node : : user addressing. Normally, this variable is set to 1 by the DECNET_RELAY macro when a DECnet relay host is defined. The submit.cf file does not define a DECnet relay host. All mail is sent by the relay mailer to the host defined in the ${MTAHost} macro. The _USE_DECNET_SYNTAX_ define is required in order to support DECnet syntax without a DECnet relay host.

confTIME_ZONE defines the way in which sendmail should determine the local time zone. Because the MSP configuration does not run as root , it can safely determine the local time zone from the TZ environment variable. Thus, the confTIME_ZONE define is set to USE_TZ in the submit.mc file used for the MSP configuration.

The last define is confDONT_INIT_GROUPS . In the submit.cf file it sets the DontInitGroups option to True . This setting prevents sendmail from changing its UID and GID when performing certain tasks , such as running a mail delivery agent. Because the MSP configuration is supposed to run as user smmsp and not supposed to use any special privileges, it makes sense to include this define in the configuration.

After two comment lines, the last command in the configuration enables the msp feature, which is the heart of the configuration. The msp feature creates the configuration that makes this a message submission program. The argument passed to the msp feature is the hostname or IP address of the MTA to which the MSP should send the mail. The argument is stored in the submit.cf macro ${MTAHost} .

In the submit.mc file delivered with sendmail 8.12.9, the msp argument is [127.0.0.1], which is the loopback address for the local host on all IPv4 systems. Square brackets are always placed around a numeric address; when placed around a hostname, they prevent sendmail from looking up the MX records for that hostname. [127.0.0.1] is the default value for ${MTAHost} , so this argument is not really needed on the msp command line. The reason it is used in the submit.mc file provided with 8.12.9 is as an example for administrators who might need to change the ${MTAHost} value. Recipe 10.1 provides an example of changing the ${MTAHost} value to enhance system security.

Only minimal edits should be made to the submit.mc file. Good examples of appropriate edits are the changes made by Red Hat and those shown in Recipe 10.1. Red Hat modifies the submit.mc file to put the sm-client.pid file into the /var/run directory instead of into the /var/spool/clientmqueue directory, where it is placed by default. Recipe 10.1 shows an example of how the submit.mc file is modified on a system that does not run an SMTP listener. It is the only recipe in this text that modifies submit.cf ; every other recipe applies to sendmail.cf .

The default submit.cf file sets the RunAsUser option to smmsp . It is the RunAsUser option that tells sendmail to run as something other than root . This option predates the submit.cf configuration and was originally created for use on some firewall bastion hosts that run sendmail as a non- root process. However, the submit.cf configuration is the most effective use of this option that I have seen. Don't confuse the RunAsUser option with the DefaultUser option ”they are incompatible. RunAsUser defines the user ID used instead of root . DefaultUser defines the user ID used in addition to root when a copy of sendmail that has root privileges gives up those privileges. DefaultUser is covered in Recipe 10.11.

Recipe 10.10 Running sendmail Non-Set-User-ID root