From owner-freebsd-security  Fri Apr 14 03:52:19 1995
Return-Path: security-owner
Received: (from majordom@localhost)
          by freefall.cdrom.com (8.6.10/8.6.6) id DAA14350
          for security-outgoing; Fri, 14 Apr 1995 03:52:19 -0700
Received: from mpp.com (dialup-4-43.gw.umn.edu [128.101.96.43])
          by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id DAA14342
          for <freebsd-security@freebsd.org>; Fri, 14 Apr 1995 03:52:15 -0700
Received: (from mpp@localhost) by mpp.com (8.6.11/8.6.9) id FAA11038; Fri, 14 Apr 1995 05:51:14 -0500
From: Mike Pritchard <pritc003@maroon.tc.umn.edu>
Message-Id: <199504141051.FAA11038@mpp.com>
Subject: Re: cvs commit: src/usr.sbin/cron/cron Makefile do_command.c bitstring.3 bitstring.h
To: ache@freefall.cdrom.com (Andrey A. Chernov)
Date: Fri, 14 Apr 1995 05:51:14 -0500 (CDT)
Cc: freebsd-security@FreeBSD.org
In-Reply-To: <199504132058.NAA27172@freefall.cdrom.com> from "Andrey A. Chernov" at Apr 13, 95 01:58:16 pm
X-Mailer: ELM [version 2.4 PL24]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Length: 3795      
Sender: security-owner@FreeBSD.org
Precedence: bulk

Ok, here is a fix for all of the currently known cron problems that
also allows the user to set MAILTO to anything they please.  This
is done by calling sendmail with "-t" to tell it to read the recipient
list from the mail header.  The argument given with MAILTO is not passed
on the command line, thus making it impossible for the user to spoof
sendmail in anyway (unless someone knows how to do it by mucking with
the "To:" line in the mail header).  

I hope that this fix will make everyone happy.

-Mike


*** orig/config.h	Fri Apr 14 05:29:20 1995
--- ./config.h	Fri Apr 14 05:28:33 1995
***************
*** 42,51 ****
  			 */
  
  #define MAILCMD _PATH_SENDMAIL					/*-*/
! #define MAILARGS "%s -FCronDaemon -odi -oem %s"                 /*-*/
  			/* -Fx	 = set full-name of sender
  			 * -odi	 = Option Deliverymode Interactive
  			 * -oem	 = Option Errors Mailedtosender
  			 */
  
  /* #define MAILCMD "/bin/mail"			/*-*/
--- 42,52 ----
  			 */
  
  #define MAILCMD _PATH_SENDMAIL					/*-*/
! #define MAILARGS "%s -FCronDaemon -odi -oem -t"                 /*-*/
  			/* -Fx	 = set full-name of sender
  			 * -odi	 = Option Deliverymode Interactive
  			 * -oem	 = Option Errors Mailedtosender
+ 			 * -t    = read recipient from header of message
  			 */
  
  /* #define MAILCMD "/bin/mail"			/*-*/
*** orig/do_command.c	Fri Apr 14 05:26:55 1995
--- ./do_command.c	Fri Apr 14 05:40:02 1995
***************
*** 94,128 ****
  	 */
  	usernm = env_get("LOGNAME", e->envp);
  	mailto = env_get("MAILTO", e->envp);
- 	if (mailto != NULL && *mailto) {
- 		char *head, *next;
- 		int address_found = 0;
- 
- 		head = mailto;
- 		while (isspace(*head))
- 			head++;
- 		for ( ; (next = strpbrk(head, " \t")) != NULL; head = next) {
- 			next++;
- 			while (isspace(*next))
- 				next++;
- 			address_found = 1;
- 			if (*head == '-') {
- 				mailto = NULL;
- 				break;
- 			}
- 		}
- 		if (mailto != NULL && *head) {
- 			address_found = 1;
- 			if (*head == '-')
- 				mailto = NULL;
- 		}
- 		if (!address_found)
- 			mailto = "";
- 		if (mailto == NULL) {
- 			log_it("CRON",getpid(), usernm, "attempts to crack");
- 			exit(ERROR_EXIT);
- 		}
- 	}
  
  #ifdef USE_SIGCHLD
  	/* our parent is watching for our death by catching SIGCHLD.  we
--- 94,99 ----
***************
*** 395,402 ****
  				auto char	hostname[MAXHOSTNAMELEN];
  
  				(void) gethostname(hostname, MAXHOSTNAMELEN);
! 				(void) sprintf(mailcmd, MAILARGS,
! 					       MAILCMD, mailto);
  				if (!(mail = cron_popen(mailcmd, "w"))) {
  					perror(MAILCMD);
  					(void) _exit(ERROR_EXIT);
--- 366,373 ----
  				auto char	hostname[MAXHOSTNAMELEN];
  
  				(void) gethostname(hostname, MAXHOSTNAMELEN);
! 				(void) snprintf(mailcmd, sizeof(mailcmd),
! 					       MAILARGS, MAILCMD);
  				if (!(mail = cron_popen(mailcmd, "w"))) {
  					perror(MAILCMD);
  					(void) _exit(ERROR_EXIT);
*** orig/popen.c	Fri Apr 14 05:26:55 1995
--- ./popen.c	Fri Apr 14 05:38:28 1995
***************
*** 32,37 ****
--- 32,38 ----
  #include <sys/signal.h>
  
  
+ #define MAX_ARGS 100
  #define WANT_GLOBBING 0
  
  /*
***************
*** 50,56 ****
  	FILE *iop;
  	int argc, pdes[2];
  	PID_T pid;
! 	char *argv[100];
  #if WANT_GLOBBING
  	char **pop, *vv[2];
  	int gargc;
--- 51,57 ----
  	FILE *iop;
  	int argc, pdes[2];
  	PID_T pid;
! 	char *argv[MAX_ARGS + 1];
  #if WANT_GLOBBING
  	char **pop, *vv[2];
  	int gargc;
***************
*** 72,78 ****
  		return(NULL);
  
  	/* break up string into pieces */
! 	for (argc = 0, cp = program;; cp = NULL)
  		if (!(argv[argc++] = strtok(cp, " \t\n")))
  			break;
  
--- 73,79 ----
  		return(NULL);
  
  	/* break up string into pieces */
! 	for (argc = 0, cp = program; argc < MAX_ARGS; cp = NULL)
  		if (!(argv[argc++] = strtok(cp, " \t\n")))
  			break;