From owner-freebsd-security  Thu Apr 13 09:53:58 1995
Return-Path: security-owner
Received: (from majordom@localhost)
          by freefall.cdrom.com (8.6.10/8.6.6) id JAA20828
          for security-outgoing; Thu, 13 Apr 1995 09:53:58 -0700
Received: from trout.sri.MT.net (trout.sri.MT.net [204.182.243.12])
          by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id JAA20819
          for <freebsd-security@FreeBSD.org>; Thu, 13 Apr 1995 09:53:54 -0700
Received: (from nate@localhost) by trout.sri.MT.net (8.6.11/8.6.11) id KAA26380; Thu, 13 Apr 1995 10:52:51 -0600
Date: Thu, 13 Apr 1995 10:52:51 -0600
From: Nate Williams <nate@trout.sri.MT.net>
Message-Id: <199504131652.KAA26380@trout.sri.MT.net>
In-Reply-To: Mike Pritchard <pritc003@maroon.tc.umn.edu>
       "Re: cvs commit: src/usr.sbin/cron/cron do_command.c" (Apr 13, 11:31am)
X-Mailer: Mail User's Shell (7.2.5 10/14/92)
To: Mike Pritchard <pritc003@maroon.tc.umn.edu>,
        ache@astral.msk.su (Andrey A. Chernov, Black Mage)
Subject: Re: cvs commit: src/usr.sbin/cron/cron do_command.c
Cc: freebsd-security@FreeBSD.org
Sender: security-owner@FreeBSD.org
Precedence: bulk

> > >I still think that the best way to fix this problem is to require that
> > >the user name that cron intends to send mail to points to a valid login 
> > >name (which my fix does).

> > Your fix breaks MAILTO handling according to cron manpage.
> 
> How?  The cron man page states:
>        ...
>        current	minute.   When	executing commands, any output is
>        mailed to the owner of the crontab (or to the  user  named
>        in the MAILTO environment variable in the crontab, if such
>        exists).
> 
> It doesn't sound like cron is saying that it allows anything other
> than a valid user name in the MAILTO varaible.  It doesn't say anything
> about mailing to a mail address, just to a user.  If you need the mail
> to go somewhere else, either setup an account that cron can mail to
> that you can forward in /etc/aliases, or if you are a normal user, use
> one of the mail filtering programs to do it for you.  Cron shouldn't
> have to worry about anything other than delivering mail back to a
> valid local user.

I don't understand the problem completely, but I agree with Mike.  You
shouldn't be allowed to set MAILTO to anything but a local username. 
Nothing more, nothing less.  If you need more flexibility then cron
isn't the program to provide it to you.  Any un-necessary flexibility
provided in setuid/setgid programs almost always creates security
bugs.



Nate