Okay, how fucked-up is this:
Sendmail complains that the map files (aliases and access) are "unsafe" and thus can’t be opened. After some internet search, I found that sendmail takes a look at the permissions of those files and all parent directories.
Good, fixing them and - nothing…
It took me quite a while to find out that it ceases operation because "/" wasn’t read/executable for group and others… WTF?!?
(Of course, any kind of debugging output I got out of sendmail was entirely non-obvious.. how about letting your software state where the problem lies if you decide it to stop working at all?)
Update: seems like certain services in SMF are vulnerable to this, too (rpc/bind, ldap/client, maybe others). Neat way to totally annoy your co-admins.