From: Andy Thompson (athompsonmooreheadcomm.com)
Date: Mon Aug 02 2004 - 13:46:25 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Wietse Venema wrote:

> Andy Thompson:
>
>>>The documentation says:
>>>
>>>allow_min_user (default: no)
>>> Allow a recipient address to have `-' as the first charac-
>>> ter. By default, this is not allowed, to avoid accidents
>>> with software that passes email addresses via the command
>>> line.
>>>
>>>There is no mention of sendmail here as far as I can tell.
>>>
>>>If something is not clear about this text, can you indicate it
>>>and perhaps it can be updated.
>>
>>Yes, not sendmail specifically, but based on the assumption that
>>sendmail is often used to send email from *nix command line, I wrote
>>sendmail.
>>
>>The text is quite clear that an accidient could happen, but "accidents"
>>is pretty vague and could mean any number of things. Specifically what
>>could happen is not indicated at all and I couldn't even venture a guess
>>as to what that might be.
>
>
> What about:
>
> By default, this is not allowed, to avoid accidents with software
> that passes email addresses via the command line. Such software
> would not be able to distinguish a malicious address from a
> bona fide command-line option.
>
> I know that you can prevent this from happening by putting a "--"
> option into the command line, but I would not bet my life on it
> that everyone would follow such advice.

That makes sense.

So in your opinion, on a system such as mine with no local users, web
scripts, et al where I have complete control over what is run on the
box, is this a pretty low risk option to enable?

-andy

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]