Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 12 Apr 1995 15:10:12 -0500 (CDT)
From:      Mike Pritchard <pritc003@maroon.tc.umn.edu>
To:        ache@freefall.cdrom.com (Andrey A. Chernov)
Cc:        freebsd-security@FreeBSD.org
Subject:   Re: cvs commit: src/usr.sbin/cron/cron do_command.c
Message-ID:  <199504122010.PAA03812@mpp.com>
In-Reply-To: <199504121857.LAA20359@freefall.cdrom.com> from "Andrey A. Chernov" at Apr 12, 95 11:57:41 am

next in thread | previous in thread | raw e-mail | index | archive | help
> 
> ache        95/04/12 11:57:40
> 
>   Modified:    usr.sbin/cron/cron do_command.c
>   Log:
>   Close MAILTO security hole

I took a look at your fix, and the security hole is still there.  Simply 
checking if the first character of the MAILTO variable is a '-' isn't 
enough, since I could simply prefix the MAILTO variable with a space (or 
lots of them or whatever).  I can also add additional arguments,
which with sendmail isn't a problem, but what if the administrator chooses
to edit cron/config.h and use a different mail delivery program?
Then who knows how those extra arguments are going to be used.

Even if MAILTO isn't set, if I manage to get LOGNAME set to something
funny (possible), then the same security hole exists, since it will be used
as the mailing address in place of MAILTO.

I still think that the best way to fix this problem is to require that
the user name that cron intends to send mail to points to a valid login 
name (which my fix does).  That way there is no doubt that the user isn't 
passing something funny in the variable that may be interpreted by either 
the popen call or sendmail in some unintended manner.  Programs that run as 
root should be as restrictive as possible with user supplied parameters that 
they pass off to other programs that are also going to be run as root (or
as anything other than the calling user).  They shouldn't try and decide if 
the parameters look "OK" enough to pass along.  They should require that 
they conform to a very strictly defined format.
-- 
Mike Pritchard
pritc003@maroon.tc.umn.edu
"Go that way.  Really fast.  If something gets in your way, turn"



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199504122010.PAA03812>