Date: Tue, 03 Sep 2019 14:06:58 -0000 From: Kyle Evans <kevans@freebsd.org> To: Ian Lepore <ian@freebsd.org> Cc: src-committers <src-committers@freebsd.org>, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r346252 - in head/usr.sbin/cron: cron crontab Message-ID: <CACNAnaHsM%2BpZU=3FRjpG%2BCabaLmQJ9vVdE6Nqs2s6xi23QLEjQ@mail.gmail.com> In-Reply-To: <ff0c4c6a9f159d9a7267bfed0ce496074f058cdf.camel@freebsd.org> References: <201904151853.x3FIrSXI019502@repo.freebsd.org> <ff0c4c6a9f159d9a7267bfed0ce496074f058cdf.camel@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Apr 15, 2019 at 2:26 PM Ian Lepore <ian@freebsd.org> wrote: > > On Mon, 2019-04-15 at 18:53 +0000, Kyle Evans wrote: > > Author: kevans > > Date: Mon Apr 15 18:53:28 2019 > > New Revision: 346252 > > URL: https://svnweb.freebsd.org/changeset/base/346252 > > > > Log: > > cron(8): Add MAILFROM ability for crontabs > > > > This changes the sender mail address in a similar fashion to how MAILTO may > > change the recipient. The default from address remains unchanged. > > > > MFC after: 1 week > > > > Modified: > > head/usr.sbin/cron/cron/cron.8 > > head/usr.sbin/cron/cron/do_command.c > > head/usr.sbin/cron/crontab/crontab.5 > > > > Is this going to allow normal users to spoof the From: using private > crontabs? That sounds mildly dangerous. > > -- Ian I think my description here was lacking- this is a per-crontab environment variable, so yes: a user may spoof the from address in a private crontab for jobs within that crontab. I don't know how much of a security concern this is, but I peaked at cronie [1] after you brought this up and observed that their implementation is effectively the same restriction-wise, but with sanity checking for both mailfrom/mailto values. [1] https://github.com/cronie-crond/cronie/blob/master/src/do_command.c
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACNAnaHsM%2BpZU=3FRjpG%2BCabaLmQJ9vVdE6Nqs2s6xi23QLEjQ>