From owner-freebsd-security Wed Apr 12 14:48:28 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id OAA26910 for security-outgoing; Wed, 12 Apr 1995 14:48:28 -0700 Received: from sequent.kiae.su (sequent.kiae.su [144.206.136.6]) by freefall.cdrom.com (8.6.10/8.6.6) with SMTP id OAA26904 for ; Wed, 12 Apr 1995 14:48:24 -0700 Received: by sequent.kiae.su id AA04500 (5.65.kiae-2 ); Thu, 13 Apr 1995 01:40:31 +0400 Received: by sequent.KIAE.su (UUMAIL/2.0); Thu, 13 Apr 95 01:40:30 +0400 Received: (from ache@localhost) by astral.msk.su (8.6.8/8.6.6) id BAA02974; Thu, 13 Apr 1995 01:40:53 +0400 To: Mike Pritchard Cc: freebsd-security@FreeBSD.org References: <199504122010.PAA03812@mpp.com> In-Reply-To: <199504122010.PAA03812@mpp.com>; from Mike Pritchard at Wed, 12 Apr 1995 15:10:12 -0500 (CDT) Message-Id: Organization: Olahm Ha-Yetzirah Date: Thu, 13 Apr 1995 01:40:53 +0400 X-Mailer: Mail/@ [v2.32 FreeBSD] From: "Andrey A. Chernov, Black Mage" X-Class: Fast Subject: Re: cvs commit: src/usr.sbin/cron/cron do_command.c Lines: 51 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Length: 2095 Sender: security-owner@FreeBSD.org Precedence: bulk In message <199504122010.PAA03812@mpp.com> Mike Pritchard writes: >> >> ache 95/04/12 11:57:40 >> >> Modified: usr.sbin/cron/cron do_command.c >> Log: >> Close MAILTO security hole >I took a look at your fix, and the security hole is still there. Simply >checking if the first character of the MAILTO variable is a '-' isn't >enough, since I could simply prefix the MAILTO variable with a space (or >lots of them or whatever). Did you really tried f.e. sendmail ' -v' ??? >I can also add additional arguments, >which with sendmail isn't a problem, but what if the administrator chooses >to edit cron/config.h and use a different mail delivery program? >when who knows how those extra arguments are going to be used. It is administrators fault. >Even if MAILTO isn't set, if I manage to get LOGNAME set to something >funny (possible), then the same security hole exists, since it will be used >as the mailing address in place of MAILTO. LOGNAME forced to pw->pw_name in entry.c >I still think that the best way to fix this problem is to require that >the user name that cron intends to send mail to points to a valid login >name (which my fix does). That way there is no doubt that the user isn't >passing something funny in the variable that may be interpreted by either >the popen call or sendmail in some unintended manner. Programs that run as >root should be as restrictive as possible with user supplied parameters that >they pass off to other programs that are also going to be run as root (or >as anything other than the calling user). They shouldn't try and decide if >the parameters look "OK" enough to pass along. They should require that >they conform to a very strictly defined format. Your fix breaks MAILTO handling according to cron manpage. -- Andrey A. Chernov : And I rest so composedly, /Now, in my bed, ache@astral.msk.su : That any beholder /Might fancy me dead - FidoNet: 2:5020/230.3 : Might start at beholding me, /Thinking me dead. RELCOM Team,FreeBSD Team : E.A.Poe From "For Annie" 1849