From owner-freebsd-security  Thu Apr 13 07:21:31 1995
Return-Path: security-owner
Received: (from majordom@localhost)
          by freefall.cdrom.com (8.6.10/8.6.6) id HAA15580
          for security-outgoing; Thu, 13 Apr 1995 07:21:31 -0700
Received: from sequent.kiae.su (sequent.kiae.su [144.206.136.6])
          by freefall.cdrom.com (8.6.10/8.6.6) with SMTP id HAA15567
          for <freebsd-security@FreeBSD.org>; Thu, 13 Apr 1995 07:21:24 -0700
Received: by sequent.kiae.su id AA03820
  (5.65.kiae-2 ); Thu, 13 Apr 1995 18:10:59 +0400
Received: by sequent.KIAE.su (UUMAIL/2.0); Thu, 13 Apr 95 18:10:58 +0400
Received: (from ache@localhost) by astral.msk.su (8.6.8/8.6.6) id SAA01716; Thu, 13 Apr 1995 18:09:56 +0400
To: adam <adam@math.tau.ac.il>, freebsd-security@FreeBSD.org
References: <199504131217.PAA21237@lune.math.tau.ac.il>
In-Reply-To: <199504131217.PAA21237@lune.math.tau.ac.il>;
    from adam at Thu, 13 Apr 1995 15:17:00 +0300 (GMT+0300)
Message-Id: <SHq2JZl8d6@astral.msk.su>
Organization: Olahm Ha-Yetzirah
Date: Thu, 13 Apr 1995 18:09:56 +0400
X-Mailer: Mail/@ [v2.32 FreeBSD]
From: "Andrey A. Chernov, Black Mage" <ache@astral.msk.su>
X-Class: Fast
Subject: Re: cvs commit: src/usr.sbin/cron/cron do_command.c
Lines: 20
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Length: 972
Sender: security-owner@FreeBSD.org
Precedence: bulk

In message <199504131217.PAA21237@lune.math.tau.ac.il> adam writes:

>My suggestion is not to run Sendmail as root.  If you want, you can
>``verify'' MAILTO, but IMHO, such a fix is begging to fail, because
>you need to start studying Sendmail and seeing what wrongs it can do
>running as root.  Like, the obvious fix of searching for ``-'' fails
>for people who mail ``cron-people''.

This complex fix is really unneded and breaks many things.
Only check *mailto == '-' needed.
Any other argument is treated as normal address and nothing wrong
hapens in sending to it from root. It is equivalent to login as root
and send mail to somebody.
It is way just I fix it in -current.

-- 
Andrey A. Chernov        : And I rest so composedly,  /Now, in my bed,
ache@astral.msk.su       : That any beholder  /Might fancy me dead -
FidoNet: 2:5020/230.3    : Might start at beholding me,  /Thinking me dead.
RELCOM Team,FreeBSD Team :         E.A.Poe         From "For Annie" 1849