I. Description
Sendmail is often run in daemon mode so that it can "listen" for
incoming mail connections on the standard SMTP networking port, usually
port 25. The root user is the only user allowed to start sendmail this
way, and sendmail contains code intended to enforce this restriction.
Unfortunately, due to a coding error, sendmail can be invoked in daemon
mode in a way that bypasses the built-in check. When the check is
bypassed, any local user is able to start sendmail in daemon mode. In
addition, as of version 8.7, sendmail will restart itself when it
receives a SIGHUP signal. It does this restarting operation by
re-executing itself using the exec(2) system call. Re-executing is done
as the root user. By manipulating the sendmail environment, the user can
then have sendmail execute an arbitrary program with root privileges.
