OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: fuzzy luser_relay ?
From: Matthias Andree (madt.e-technik.uni-dortmund.de)
Date: Fri Sep 01 2000 - 08:08:47 CDT

Ralf Hildebrandt <news-list.postfix.usersinnominate.de> writes:

> >Someone needs to either document the security implications or fix that.
>
> This is strange. While writing my diploma thesis I had to get rid of that
> shell since it caught the signal I was sending to terminate the programs I
> tested. I resolved that problem somehow.
>
> Perhaps popen2 could implement the same strategy as "local" -- only use a
> shell if there are shell metacharacters in the command string.

I think, that's not what people would expect, it's be more useful to
keep that for security, document the implications and implement an
alternative safepopen module instead.

Evidently, popen2 does just what POSIX' popen(3) does.

       The command argument is a pointer to a null-terminated
       string containing a shell command line. This command is
       passed to /bin/sh using the -c flag; interpretation, if
       any, is performed by the shell. The mode argument is a
       pointer to a null-terminated string which must be either
       `r' for reading or `w' for writing.

(Linux' man page)

Reading through the BUGS section in that man page, one would better
re-implement a popen replacement anyhow. :-]

I recall fixing an omitted close() on a popen("uname"...) some while ago
in fetchmail which caused zombie processes until fetchmail exited... Not
too good.

But if you start like this, you can just as well re-implement a safer C
standard library, breaking compatibility with existing tools. 

-- 
Matthias Andree

                Where do you think you're going today?