The
aliases
file can easily be used to gain privileged status if it is wrongly or carelessly administered. In addition to proper permissions and ownership you should be aware of potentially harmful entries that you may have inherited from the vendor or previous administrators. For example, many vendors used to ship systems with a
decode
alias in the
aliases
file. This practice is becoming less common.
# you may wish to comment this out for security decode: |/usr/bin/guudecode
The intention is to provide an easy way for users to transfer binary files using mail. At the sending site the user converts the binary to ASCII with
uuencode
(1), then mails the result to the
decode
alias at the receiving site. That alias pipes the mail message through the
/usr/bin/uudecode
program, which converts the ASCII back into the original binary file.
The
uudecode
(1) program takes the name of the file to create from the file it is decoding. That information is in the
begin
line, used by
uudecode
. For example, here's an attempt to use
uudecode
(1) to place a bogus queue file directly into the
sendmail
queue:
begin 777 /var/spool/mqueue/qfAA12345
Here, the
begin
tells
uudecode
to begin conversion. The
777
is the permissions to give to the file that will be created. That is followed by the full pathname of the file. If the queue directory were wrongly owned by
daemon
, any outsider could create a bogus queued message at your site.
Some versions of
uudecode
(such as the one with SunOS) will create
suid
files. That is, a
begin
line like the following can be used to create an
suid
daemon
shell in
/tmp
:
begin 4777 /tmp/sh
The
decode
alias should be removed from all
aliases
files. Similarly, every alias that executes a program - that you did not place there yourself and check completely - should be questioned and probably removed.
The aliases (5) file is often stored in dbm (3) or db (3) database format for faster lookups. The database files live in the same directory as the aliases file. For all versions of sendmail they are called aliases.dir and aliases.pag (but for V8 sendmail , only a single database file might exist and be called aliases.db ).
It is useless to protect the aliases (5) file if you do not protect its corresponding database files. If the database files are not protected, the attacker can create a private aliases file and then run
%/usr/lib/sendmail -oA./aliases -bi
This causes sendmail to build ./aliases database files in the current directory. The attacker then copies those bogus database files over the unprotected system originals. The sendmail program never detects the change, because the database files appear to be newer than the aliases file.
Note also that the aliases file and its database files must be owned by root , and writable only by root . They must live in a directory, every path component of which is owned by and writable only by root .