COMMAND
sendmail
SYSTEMS AFFECTED
Systems running sendmail 8.8.3
PROBLEM
When delivering mail to a program listed in a .forward or
:include: file, that program is run with the group permissions
possessed by the owner of that .forward or :include: file. The
owner of the file is used to initialize the list of group
permissions that are in force when the program is run. This list
is determined by scanning the /etc/group file.
It is possible to attain group permissions you should not have by
linking to a file that is owned by someone else, but on which you
have group write permissions. By changing that file you can
acquire the group permissions of the owner of that file.
An attacker can gain group permissions of another user, if the
attacked user has a file that is group writable by the attacker on
the same filesystem as either (a) the attacker's home directory,
or (b) a :include: file that is referenced directly from the
aliases file and is in a directory writable by the attacker. The
first (.forward) attack only works against root. N.B.: this
attack does not give you root "owner" permissions, but does give
you access to the groups that list root in /etc/group. Credit for
this goes to AUSCERT and Eric Allman. Terry Kyriacopoulos
(Interlog Internet Services) and Dan Bernstein (University of
Illinois at Chicago) reported these vulnerabilities.
SOLUTION
You may upgrade to sendmail 8.8.4. or apply following workaround,
provived by Eric Allman, the author of sendmail.
Set the UnsafeGroupWrites option in the sendmail.cf file. This
option tells sendmail that group-writable files should not be
considered safe for mailing to programs or files. This causes
sendmail to refuse to run any programs referenced from
group-writable files. Setting this option is a good idea in any
case, but may require that your users tighten permissions on
their .forward files and :include: files.