From owner-freebsd-security Wed Apr 12 13:12:12 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id NAA22364 for security-outgoing; Wed, 12 Apr 1995 13:12:12 -0700 Received: from mpp.com (dialup-2-122.gw.umn.edu [134.84.101.122]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id NAA22355 for ; Wed, 12 Apr 1995 13:12:03 -0700 Received: (from mpp@localhost) by mpp.com (8.6.11/8.6.9) id PAA03812; Wed, 12 Apr 1995 15:10:13 -0500 From: Mike Pritchard Message-Id: <199504122010.PAA03812@mpp.com> Subject: Re: cvs commit: src/usr.sbin/cron/cron do_command.c To: ache@freefall.cdrom.com (Andrey A. Chernov) Date: Wed, 12 Apr 1995 15:10:12 -0500 (CDT) Cc: freebsd-security@FreeBSD.org In-Reply-To: <199504121857.LAA20359@freefall.cdrom.com> from "Andrey A. Chernov" at Apr 12, 95 11:57:41 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1640 Sender: security-owner@FreeBSD.org Precedence: bulk > > ache 95/04/12 11:57:40 > > Modified: usr.sbin/cron/cron do_command.c > Log: > Close MAILTO security hole I took a look at your fix, and the security hole is still there. Simply checking if the first character of the MAILTO variable is a '-' isn't enough, since I could simply prefix the MAILTO variable with a space (or lots of them or whatever). I can also add additional arguments, which with sendmail isn't a problem, but what if the administrator chooses to edit cron/config.h and use a different mail delivery program? Then who knows how those extra arguments are going to be used. Even if MAILTO isn't set, if I manage to get LOGNAME set to something funny (possible), then the same security hole exists, since it will be used as the mailing address in place of MAILTO. I still think that the best way to fix this problem is to require that the user name that cron intends to send mail to points to a valid login name (which my fix does). That way there is no doubt that the user isn't passing something funny in the variable that may be interpreted by either the popen call or sendmail in some unintended manner. Programs that run as root should be as restrictive as possible with user supplied parameters that they pass off to other programs that are also going to be run as root (or as anything other than the calling user). They shouldn't try and decide if the parameters look "OK" enough to pass along. They should require that they conform to a very strictly defined format. -- Mike Pritchard pritc003@maroon.tc.umn.edu "Go that way. Really fast. If something gets in your way, turn"