Re: Sendmail up to 8.9.1 - mail.local instroduces new class of

[hurtta+zz2 () OZONE FMI FI (Kari E. Hurtta)]

Brett Lymn:
> According to Jonathan Stott:
> > A better fix would be to use procmail, or /bin/mail, or some other
> > program for local mail delivery.
>
> A lot of people have been recommending putting procmail in to perform
> filtering of mail as an adjunct to sendmail.  I did a quick grep for
> the notorious strc{at,py} commands in the procmail source and found
> quite a few.  I have not analysed the code but people putting in
> filters now to prevent the recent problems with mime et al could be
> (I said _could_be_) leaving themselves open for a more subtle exploit
> later on via procmail overflows.

It is also possible to make sure that mail.local (or any other
mail delivery program) can be used only by sendmail:


Assuming that program was setuid root:
        1) drop setuid bit

                chmod u-s /usr/libexec/mail.local

        2) add

                define (`LOCAL_MAILER_FLAGS',LOCAL_MAILER_FLAGS`S')

           to your *.mc file before

                MAILER(local)

           -line.


           Alternatively add just

                FEATURE(local_lmtp)

           before MAILER(local)
           -line ('S' flags is already defined by FEATURE(local_lmtp)
           so it do not need to be added.)

           That S flag causes that sendmail calls local mailer as root.
           So mailer itself does not need to be setuid root.


           Summary:

                If you use

                        FEATURE(local_lmtp)

                /usr/libexec/mail.local does not need to be setuid root.


/ Kari Hurtta