Date: Wed, 12 Apr 1995 15:10:12 -0500 (CDT) From: Mike Pritchard <pritc003@maroon.tc.umn.edu> To: ache@freefall.cdrom.com (Andrey A. Chernov) Cc: freebsd-security@FreeBSD.org Subject: Re: cvs commit: src/usr.sbin/cron/cron do_command.c Message-ID: <199504122010.PAA03812@mpp.com> In-Reply-To: <199504121857.LAA20359@freefall.cdrom.com> from "Andrey A. Chernov" at Apr 12, 95 11:57:41 am
next in thread | previous in thread | raw e-mail | index | archive | help
> > ache 95/04/12 11:57:40 > > Modified: usr.sbin/cron/cron do_command.c > Log: > Close MAILTO security hole I took a look at your fix, and the security hole is still there. Simply checking if the first character of the MAILTO variable is a '-' isn't enough, since I could simply prefix the MAILTO variable with a space (or lots of them or whatever). I can also add additional arguments, which with sendmail isn't a problem, but what if the administrator chooses to edit cron/config.h and use a different mail delivery program? Then who knows how those extra arguments are going to be used. Even if MAILTO isn't set, if I manage to get LOGNAME set to something funny (possible), then the same security hole exists, since it will be used as the mailing address in place of MAILTO. I still think that the best way to fix this problem is to require that the user name that cron intends to send mail to points to a valid login name (which my fix does). That way there is no doubt that the user isn't passing something funny in the variable that may be interpreted by either the popen call or sendmail in some unintended manner. Programs that run as root should be as restrictive as possible with user supplied parameters that they pass off to other programs that are also going to be run as root (or as anything other than the calling user). They shouldn't try and decide if the parameters look "OK" enough to pass along. They should require that they conform to a very strictly defined format. -- Mike Pritchard pritc003@maroon.tc.umn.edu "Go that way. Really fast. If something gets in your way, turn"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199504122010.PAA03812>