sendmail, /etc/aliases command, what's supposed to happen?

[Jonathan I. Kamens]

In article <273 at shuksan.BOEING.COM>, slm at wsc-sun.boeing.com (Shamus
McBride) writes:
|>     However, when the received mail was sent from the host machine
|>     (wsc-sun), the user-id and group-id of the forked command process
|>     are set to the user-id and group-id of the sender rather than
|>     daemon. This happens even when the mail has left the local net and
|>     gone to a mail reflector at Berkeley and then come back!
|>     
|> ...
|> 
|>     Is this the way it's supposed to work?  Given a "command" as the
|>     destination of an address in /etc/aliases, under what user-id,
|>     group-id should the command process run?

  The answer to the question, "Is this the way it's supposed to work?"
depends on exactly what you mean by the words "supposed to".

  Yes, sendmail was written in such a way to make things happen as you
describe.  Yes, it was done intentionally.  Therefore, if, by "it's
supposed to work", you mean, "it was designed and written to work", then
the answer is yes.

  However, yes, many people (including myself) think its majorly
brain-dead, and I believe it's a security problem as well (I'll leave
the details to your imagination :-).

  The solution to this problem which we use around here is to make any
programs which are executed out of /usr/lib/aliases setuid to daemon or
something like that, so even if sendmail decides to run them as a random
user, it won't have any effect.

Jonathan Kamens			              USnail:
MIT Project Athena				11 Ashford Terrace
jik at Athena.MIT.EDU				Allston, MA  02134
Office: 617-253-8495			      Home: 617-782-0710