|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
I still don't buy that sendmail is "fixed".
*Hobbit* (hobbit
avian.org)Fri, 24 Feb 1995 00:56:27 -0500
- Messages sorted by: [ date ][ thread ][ subject ][ author ]
- Next message: Dave Horsfall: "Forgery..."
- Previous message: Michael Van Norman: "Re: new sendmail bug?"
- Next in thread: der Mouse: "Re: I still don't buy that sendmail is "fixed"."
In readcf.c, we still have the following fragment:
...
if (!safe && RealUid == 0)
safe = TRUE;
if (!safe && strchr("bCdeijLmoprsvw7", opt) == NULL)
{
===> if (opt != 'M' || (val[0] != 'r' && val[0] != 's'))
{
if (tTd(37, 1))
printf(" (unsafe)");
if (RealUid != geteuid())
{
if (tTd(37, 1))
printf("(Resetting uid)");
(void) setgid(RealGid);
(void) setuid(RealUid);
}
}
}
if (tTd(37, 1))
printf("\n");
...
What is the line with "===>" in front of it really supposed to be doing?
Why should we let ordinary users define macros at all, and do crap like
override or add to $j?!
I would reduce the "string of options considered safe" down to "dijLmv7".
* * *
And as far as parsing identd stuff, what der Mouse said about reads, and
what Wietse wrote into tcpd that appears to read a username in a safe way,
and DISCARDS everything after the first space. We wake up and suddenly
realize that identd responses are to be considered "user input".
\r\nCroot\r\nR<"|/bin/echo HAHA > somefile">\r\nHBogus: indeed. Maybe
I'll just leave my identd wired this way for a while just to screw with
peoples' heads. Maybe I'll change "somefile" to "/dev/kmem".
Why am I so *PISSED OFF* about this?! It's only ones and zeros, fer krissake.
_H*
- Next message: Dave Horsfall: "Forgery..."
- Previous message: Michael Van Norman: "Re: new sendmail bug?"
- Next in thread: der Mouse: "Re: I still don't buy that sendmail is "fixed"."