At Berkeley we have the alias database (/etc/aliases*) mode 644. While this is not as flexible as if the database were more 666, it avoids potential security problems with a globally writable database.
The database that sendmail actually used is represented by the two files aliases.dir and aliases.pag (both in /etc) (or aliases.db if you are running with the new Berkeley database primitives). The mode on these files should match the mode on /etc/aliases. If aliases is writable and the DBM files ( aliases.dir and aliases.pag) are not, users will be unable to reflect their desired changes through to the actual database. However, if aliases is read-only and the DBM files are writable, a slightly sophisticated user can arrange to steal mail anyway.
If your DBM files are not writable by the world or you do not have auto-rebuild enabled (with the AutoRebuildAliases option), then you must be careful to reconstruct the alias database each time you change the text version: