Red Hat Bugzilla – Bug 3936
User Private Groups conflict with sendmail/procmail security
Last modified: 2008-05-01 11:37:51 EDT
Have just upgraded to RedHat 6.0 (i.e. sendmail 8.9.3) from
RedHat 5.2 with sendmail 8.8.7 - forwarding has stopped
The security improvements in sendmail stop .forward files
being read from group writable directories
However, out-of-the box, RedHat has User Private Groups and
a umask of 002. Sendmail complains, and won't read the
.forward file. This could be fixed with ODontBlameSendmail,
but I feel it's a more fundamental problem. UPG is secure
(ish), but sendmail can't distinguish between a secure setup
with group writable dirs and an insecure one.
See related problem with procmail.
If we change these security checks for sendmail to be more relaxed
thenwe face the problem of the NFS mounted directories, other setups,
No matter how we go about it somebody will get upset either that we
left the default in place or that we did not. Requiring .forward files
to have 600 permission is a sensible thing to do anyway when it comes
to security, regardless of the UPG being used.