The Environment
As a general rule, programs should never trust their environment. Such trust can lead to exploitation that has grave security consequences. To illustrate, consider the often misused SunOS LD_LIBRARY_PATH environment variable. Programs that use shared libraries look at this variable to determine which shared library routines they should use and in what order they should load them. One form of attack against non-set-user-id programs (such as some delivery agents) is to modify the LD_LIBRARY_PATH variable (as in a user’s ~/.forward file) to introduce Trojan horse library routines in place of the real system’s library routines. Certainly, sendmail should not pass such variables to its delivery agents.
To improve security, early versions of V8
sendmail began deleting variables from its
environment before passing them to its delivery agents. It removed
the IFS variable to protect Bourne shell-script agents and all
variables beginning with
“LD_
" to protect
all delivery agents from shared library attacks.
Beginning with V8.7, sendmail now takes the
opposite approach. Instead of trying to second-guess attackers, it
instead constructs the delivery agent environment from scratch. In
this scheme it defines the AGENT variable as
sendmail
, and the TZ variable as is appropriate
(see the TimeZoneSpec
option, TimeZoneSpec). Also, in support of operating systems that require them, it passes the ISP and SYSTYPE variables from its own environment to the delivery agent’s environment. ...
Get Sendmail, 3rd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.