Re: Charles Cazabon 2007-03-16 <20070316151151.GB11589@xxxxxxxxxxxxxxxxxxxx> > > Use execvp to call sendmail, useful for people trying sendmail="ssh host > > sendmail". > > I'm curious: does the ssh client binary tend to move around the filesystem > randomly on these peoples' systems? No, but mutt just says "exec error" which is in no way enlightening on what is actually going wrong. The reason I discovered that was that someone on #mutt had this problem this afternoon. > I don't think this is a great change. Many people unwisely put . in their > path; anyone else on the system could drop a shellscript of that name into a > common directory and capture other users' mail if the path was used to locate > the sendmail program. Requiring users to explicitly specify the path to it > prevents that privacy risk. As said in the other thread, having . in the PATH (or even at the beginning of PATH) is already so insecure that we can't do anything about it. We don't gain anything if we use explicit paths because if that is a problem, the bad user could just inject a malicious mutt binary somewhere. (And then, the default $sendmail is still fully qualified.) Christoph -- cb@xxxxxxxx | http://www.df7cb.de/
Attachment:
signature.asc
Description: Digital signature