|
|
There are several files involved with sendmail that can have a number of modes. The modes depend on the functionality you want and the level of security you require.
Sendmail is normally installed setuid to root. At the point where it is about to exec(S) a mailer, it checks to see if the userid is zero (root); if so, it resets the userid and groupid to a default (set by the U= equate in the mailer line; if that is not set, the DefaultUser option is used). This can be overridden by setting the S flag to the mailer for mailers that are trusted and must be called as root. However, this will cause mail processing to be accounted to root rather than to the user sending the mail.
If you don't make sendmail setuid to root, it will still run but you lose a lot of functionality and a lot of privacy, since you'll have to make the queue directory world readable. You could also make sendmail setuid to some pseudo-user (for example, create a user called sendmail and make sendmail setuid to that) which will fix the privacy problems but not the functionality issues. It also introduces problems on some operating systems if sendmail needs to give up the setuid special privileges. Also, this isn't a guarantee of security: for example, root occasionally sends mail, and the daemon often runs as root. Note however that sendmail must run as root or the trusted user in order to create the SMTP listener socket.
A middle ground is to make sendmail setuid to root, but set the RunAsUser option. This causes sendmail to become the indicated user as soon as it has done the startup that requires root privileges (primarily, opening the SMTP socket). If you use RunAsUser, the queue directory (normally /var/spool/mqueue) should be owned by that user, and all files and databases (including user .forward files, alias files, :include: files, and external databases) must be readable by that user. Also, since sendmail will not be able to change it's uid, delivery to programs or files will be marked as unsafe, that is, undeliverable, in .forward, aliases, and :include: files. Administrators can override this by setting the DontBlameSendmail option to the setting NonRootSafeAddr. RunAsUser is probably best suited for firewall configurations that don't have regular user logins.