Date: Thu, 13 Apr 1995 01:40:53 +0400 From: "Andrey A. Chernov, Black Mage" <ache@astral.msk.su> To: Mike Pritchard <pritc003@maroon.tc.umn.edu> Cc: freebsd-security@FreeBSD.org Subject: Re: cvs commit: src/usr.sbin/cron/cron do_command.c Message-ID: <OHbZ4ZluuB@astral.msk.su> In-Reply-To: <199504122010.PAA03812@mpp.com>; from Mike Pritchard at Wed, 12 Apr 1995 15:10:12 -0500 (CDT) References: <199504122010.PAA03812@mpp.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <199504122010.PAA03812@mpp.com> Mike Pritchard writes: >> >> ache 95/04/12 11:57:40 >> >> Modified: usr.sbin/cron/cron do_command.c >> Log: >> Close MAILTO security hole >I took a look at your fix, and the security hole is still there. Simply >checking if the first character of the MAILTO variable is a '-' isn't >enough, since I could simply prefix the MAILTO variable with a space (or >lots of them or whatever). Did you really tried f.e. sendmail ' -v' ??? >I can also add additional arguments, >which with sendmail isn't a problem, but what if the administrator chooses >to edit cron/config.h and use a different mail delivery program? >when who knows how those extra arguments are going to be used. It is administrators fault. >Even if MAILTO isn't set, if I manage to get LOGNAME set to something >funny (possible), then the same security hole exists, since it will be used >as the mailing address in place of MAILTO. LOGNAME forced to pw->pw_name in entry.c >I still think that the best way to fix this problem is to require that >the user name that cron intends to send mail to points to a valid login >name (which my fix does). That way there is no doubt that the user isn't >passing something funny in the variable that may be interpreted by either >the popen call or sendmail in some unintended manner. Programs that run as >root should be as restrictive as possible with user supplied parameters that >they pass off to other programs that are also going to be run as root (or >as anything other than the calling user). They shouldn't try and decide if >the parameters look "OK" enough to pass along. They should require that >they conform to a very strictly defined format. Your fix breaks MAILTO handling according to cron manpage. -- Andrey A. Chernov : And I rest so composedly, /Now, in my bed, ache@astral.msk.su : That any beholder /Might fancy me dead - FidoNet: 2:5020/230.3 : Might start at beholding me, /Thinking me dead. RELCOM Team,FreeBSD Team : E.A.Poe From "For Annie" 1849
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?OHbZ4ZluuB>