<<< Date Index >>>     <<< Thread Index >>>

Re: [PATCH] Use execvp to call sendmail



Re: Charles Cazabon 2007-03-16 <20070316151151.GB11589@xxxxxxxxxxxxxxxxxxxx>
> > Use execvp to call sendmail, useful for people trying sendmail="ssh host
> > sendmail".
> 
> I'm curious: does the ssh client binary tend to move around the filesystem
> randomly on these peoples' systems?

No, but mutt just says "exec error" which is in no way enlightening on
what is actually going wrong. The reason I discovered that was that
someone on #mutt had this problem this afternoon.

> I don't think this is a great change.  Many people unwisely put . in their
> path; anyone else on the system could drop a shellscript of that name into a
> common directory and capture other users' mail if the path was used to locate
> the sendmail program.  Requiring users to explicitly specify the path to it
> prevents that privacy risk.

As said in the other thread, having . in the PATH (or even at the
beginning of PATH) is already so insecure that we can't do anything
about it. We don't gain anything if we use explicit paths because if
that is a problem, the bad user could just inject a malicious mutt
binary somewhere. (And then, the default $sendmail is still fully
qualified.)

Christoph
-- 
cb@xxxxxxxx | http://www.df7cb.de/

Attachment: signature.asc
Description: Digital signature