Recipe 10.12 Defining Trusted Users

Previous page
Table of content
Next page

Problem

System changes, such as installing a new mail delivery program, may require adding names to the list of users who can override the sender address.

Solution

Carefully determine if there is really a need for additional trusted users. Only when absolutely necessary, add a confTRUSTED_USERS define to the sendmail configuration, such as the one shown below: 

 dnl Add a user to the list of trusted users define(`confTRUSTED_USERS', `bin')

Rebuild the configuration, copy it to /etc/mail/sendmail.cf , and restart sendmail. See Recipe 1.8.

Discussion

The users identified in the sendmail.cf file by T commands are allowed to override the sender address, and they are allowed to rebuild the aliases database. Limit the users identified by T commands to only those UIDs needed for important mail delivery programs that actually use the sendmail command with the -f switch to deliver mail. The rmail program is a good example. It runs using uucp as its UID. Mail delivered by rmail would appear to come from the user uucp if it did not use the -f switch to change the sender address to the address of the person who really sent the mail. For this reason, uucp is included in the default sendmail configuration as one of the trusted users, as this grep shows: 

 #  grep '^T' generic-linux.cf  Troot Tdaemon Tuucp

The confTRUSTED_USERS define does not override the trusted users list found in the default configuration ”it adds to it. A grep of this recipe's configuration file shows this: 

 #  grep '^T' sendmail.cf  Troot Tdaemon Tuucp Tbin

The confTRUSTED_USERS define identifies those users that are allowed:

  • To use sendmail's -f command-line switch to override the sender address.

  • To use the -bi option to rebuild the aliases file.

  • To use an alternative queue directory without an X-Authentication-Warning.

  • To change the syslog label without generating a warning.

Using confTRUSTED_USERS reduces security by adding to the list of users granted a special privilege. Avoid using it except when it is required to get a mail delivery program running. We do not recommend adding bin to the trusted users list ”exactly the opposite is true.

Use care when entering the confTRUSTED_USERS define. confTRUSTED_USER , without an "S" on the end, is a different security setting; see Recipe 10.13 for information about confTRUSTED_USER .

See Also

The sendmail book discusses trusted users in Section 10.8.1.1.


Previous page
Table of content
Next page
Sendmail Cookbook
sendmail Cookbook
ISBN: 0596004710
EAN: 2147483647
Year: 2005
Pages: 178
Authors: Craig Hunt
BUY ON AMAZON
Qshell for iSeries
WebLogic: The Definitive Guide
Java for RPG Programmers, 2nd Edition
Java How to Program (6th Edition) (How to Program (Deitel))
The New Solution Selling: The Revolutionary Sales Process That Is Changing the Way People Sell [NEW SOLUTION SELLING 2/E]
InDesign Type: Professional Typography with Adobe InDesign CS2
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy