Add a new make.conf knob, SENDMAIL_MAP_PERMS, which specifies the

permissions to use for alias and map database files built by
/etc/mail/Makefile.  The default is 0640 to assist users in avoiding
a file locking local denial of service.

MFC after:	1 day
		pending RE approval

etc/mail/Makefile

@@ -101,6 +101,9 @@ SENDMAIL?=		/usr/sbin/sendmail
 MAKEMAP?=		/usr/sbin/makemap
 M4?=			/usr/bin/m4
 
+# Permissions for generated maps
+SENDMAIL_MAP_PERMS?=	0640
+
 # Set a reasonable default
 .MAIN:	all
 
@@ -134,10 +137,12 @@ ${_f}:		${_f}.sample
 
 ${_f}.db:	${_f}
 	${MAKEMAP} ${SENDMAIL_MAP_TYPE} ${.TARGET} < ${.OODATE}
+	chmod ${SENDMAIL_MAP_PERMS} ${.TARGET}
 .endfor
 
 userdb.db:	userdb
 	${MAKEMAP} btree ${.TARGET} < ${.OODATE}
+	chmod ${SENDMAIL_MAP_PERMS} ${.TARGET}
 
 
 #
@@ -160,6 +165,7 @@ M4FILES!=	find ${SENDMAIL_CF_DIR} -type f -name '*.m4' -print
 #
 ${SENDMAIL_ALIASES}.db:	${SENDMAIL_ALIASES}
 	${SENDMAIL} -bi
+	chmod ${SENDMAIL_MAP_PERMS} ${.TARGET}
 
 #
 # ------------------------------------------------------------------------

share/examples/etc/make.conf

@@ -301,3 +301,8 @@
 # information.
 #
 #SENDMAIL_SET_USER_ID=
+#
+# The permissions to use on alias and map databases generated using
+# /etc/mail/Makefile.  Defaults to 0640.
+#
+#SENDMAIL_MAP_PERMS=

share/man/man5/make.conf.5

@@ -567,6 +567,11 @@ and do not install
 Use of this flag is not recommended and the alternative advice in
 .Pa /etc/mail/README
 should be followed instead if at all possible.
+.It Va SENDMAIL_MAP_PERMS
+.Pq Vt str
+Mode to use when generating alias and map database files using
+.Pa /etc/mail/Makefile .
+The default value is 0640.
 .It Va WANT_FORCE_OPTIMIZATION_DOWNGRADE
 .Pq Vt int
 Causes the system compiler to be built such that it forces high optimization