COMMAND

    mail.local

SYSTEMS AFFECTED

    Systems running sendmail up to 8.9.1 (with mail.local)

PROBLEM

    Michal  Zalewski  found  following.   Local,  setuid mail delivery
    program included in recent packages - mail.local - introduces  new
    class of local bugs, from DoS attacks to security compromises.

    For example, it creates unique temporary file in /tmp at UID 0 (no
    comments), opens and  unlinks it. Then  blindly writes every  line
    read from fd 0 to this file. So, to eat whole disk space, ignoring
    sendmail.cf settings (because mail.local  won't parse it at  all),
    attacker  should  run  mail.local,   caught  tmp  file   creation,
    hard-link it to /tmp/other_file, then redirect a lot of text  junk
    to it's fd  0.  But  that's not all.  Using 'mail.local -f  sender
    recipient', local users are able to put **anything** to  mailboxes
    of other  users.   This cute  program simply  allows creating  and
    writing to files /var/mail with virtually no restrictions. Aliases
    are not  expanded, so  attacker can  even *create*  and fill  with
    hundred megabytes  of junk  mailboxes for  accounts like 'nobody'.
    It  won't  even  put  basical  auth information, except 'From xxx'
    line at the beginning... But it can be altered with '-f' switch.

    Arbitrary  headers   are  allowed,   opening  potential   security
    compromises  with  dumb  mail  clients. Additionally, by providing
    specific data as 'sender', mailbox may be left in unusable state -
    eg. pine won't open it, saying it's 'Not in mailbox format'.

SOLUTION

    A  fix  would  be  to  use  procmail,  or /bin/mail, or some other
    program for  local mail  delivery.   It is  also possible  to make
    sure that mail.local (or any  other mail delivery program) can  be
    used only by sendmail.  Assuming that program was setuid root:

    1) drop setuid bit
        chmod u-s /usr/libexec/mail.local

    2) add
        define (`LOCAL_MAILER_FLAGS',LOCAL_MAILER_FLAGS`S')

       to your *.mc file before

        MAILER(local)

       -line.

    Alternatively add just

        FEATURE(local_lmtp)

    before  MAILER(local)  -line  ('S'  flags  is  already  defined by
    FEATURE(local_lmtp) so it do not need  to be added.)  That S  flag
    causes  that  sendmail  calls  local  mailer  as  root.  So mailer
    itself does not need to be setuid root.