rickert@mp.cs.niu.edu (Neil Rickert) (03/28/91)
I won't quote. Read the References if you want to see related comments. As stated earlier, it is potentially dangerous to use 'F' lines in sendmail.cf to read sensitive files, such as /usr/lib/uucp/L.sys (or whatever your UUCP systems file is called). Some vendors unwisely distribute configurations with such an entry, as it provides a simple way of insuring that all UUCP neighbors are known to sendmail. However, potentially sensitive information such as passwords will leak into publically accessable information such as the configuration freeze file (sendmail.fc), and any core dumps taken by sendmail. Since I originally mentioned this, some postings have questionned the severity of the problem, claiming that mode 0600 on sendmail.fc is an adequate protection. (The 'References:' line will direct you to some of the arguments made.) Given the importance of the issue, it is my tentative plan to post, in about one week's time, details of how to coerce sendmail into providing a core dump containing the sensitive information. HOW TO PROTECT YOURSELF. Examine 'sendmail.cf' for lines beginning with 'F' in column 1. The general format is Fx/full/path/to/file where the 'x' could be any letter, usually upper case. Unless there is a sensitive file (such as your UUCP systems file), you have no concern. If there is a sensitive file, extract the mail related non-sensitive information from that file and place in another file. For example, you could redirect the output of 'uuname' to the file /usr/lib/uucp/uunodes, and use the latter file in place of the L.sys file in your configuration setup. -- =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= Neil W. Rickert, Computer Science <rickert@cs.niu.edu> Northern Illinois Univ. DeKalb, IL 60115 +1-815-753-6940
piet@cwi.nl (Piet Beertema) (04/03/91)
As stated earlier, it is potentially dangerous to use 'F' lines in sendmail.cf to read sensitive files, such as /usr/lib/uucp/L.sys (or whatever your UUCP systems file is called). Depends. If you're running 5.64 or older *and* if you do *not* have #define SCANF 1 in your conf.h, then indeed sensitive information can end up in your frozen config file. This is no longer the case in 5.65/IDA-1.4.2 and later, since SCANF is effectively always enabled. -- Piet Beertema, CWI, Amsterdam (piet@cwi.nl)