COMMAND

    sendmail

SYSTEMS AFFECTED

    Systems running sendmail 8.8.3

PROBLEM

    If you set:
    DefaultUser to 99:6
    RunAsUser to 99

    Sure, sendmail  does this...  But it  does *NOT*  reset the  group
    list!!!

    From  Solaris  2.5.1  you  can  see  the process credentials using
    /usr/proc/pcreds.

    (root) # ps -aef |fgrep sendmail
    smtpuser  3200  3199  0 13:53:17 ?        0:00 /usr/lib/sendmail -bd -q1h
        root  3199     1  0 13:53:16 ?        0:00 /usr/lib/sendmail -bd -q1h

    (root) # /usr/proc/bin/pcred 3200
    3200:   e/r/suid=99  e/r/sgid=6
            groups: 1 0 2 3 4 5 6 7 8 9 12

    (root) # /usr/proc/bin/pcred 3200
    3199:   e/r/suid=0  egid=6 rgid=1 sgid=6
            groups: 1 0 2 3 4 5 6 7 8 9 12

    This one is not too terribly important; it listens on the socket;
    when it gets a connection it does the setuid/gid and handles the
    connection.  But the group list remains the same and that should
    not occur in that manner.

    When  delivering  mail  to  a  program  listed  in  a  .forward or
    :include: file,  that program  is run  with the  group permissions
    possessed by the  owner of that  .forward or :include:  file.  The
    owner  of  the  file  is  used  to  initialize  the  list of group
    permissions that are in force when the program is run.  This  list
    is determined by scanning the /etc/group file.

    It is possible to attain group permissions you should not have  by
    linking to a file that is owned by someone else, but on which  you
    have  group  write  permissions.   By  changing  that file you can
    acquire the group permissions of the owner of that file.

    An attacker  can gain  group permissions  of another  user, if the
    attacked user has a file that is group writable by the attacker on
    the same filesystem as  either (a) the attacker's  home directory,
    or  (b)  a  :include:  file  that  is referenced directly from the
    aliases file and  is in   a directory writable  by  the  attacker.
    The  first (.forward) attack only works against root.  N.B.:  this
    attack does not give you  root "owner" permissions, but does  give
    you access to the groups that list root in /etc/group.

SOLUTION

    Set the UnsafeGroupWrites  option in the  sendmail.cf file.   This
    option  tells  sendmail  that  group-writable  files should not be
    considered  safe  for  mailing  to  programs or files. This causes
    sendmail  to   refuse  to   run  any   programs  referenced   from
    group-writable files.  Setting this  option is a good idea  in any
    case,  but  may  require  that  your  users tighten permissions on
    their .forward files and :include: files.

    The command "find filesystem -user root -type f -perm -020 -print"
    will print the  names of all  files owned by  root that are  group
    writable on a given <filesystem>.

    Sendmail 8.8.4 also  fixes a denial  of service attack.   It would
    be very wise to get  latest version of sendmail (8.8.4  - released
    on 4th December).