Please help me understand. What would be wrong with using popen(2) with "/usr/lib/sendmail -oi -t" and passing the to/subject lines via input to sendmail? Is there something wrong with popen itself? > -----Original Message----- > From: antat_private [SMTP:antat_private] > Sent: Tuesday, June 19, 2001 3:25 PM > To: abentleyat_private; secprogat_private > Subject: Re: Secure popen > > From: Aaron Bentley <abentleyat_private> > > > I'm writing a CGI program in C++ that sends email. I'm using Sendmail > > for the transmission, so I need a command that lets me specify stdin for > > Sendmail. > > I understand popen() is not very secure, because it uses the shell to > > execute the command, but I don't know of a safe alternative. I can > > sanitize my input, but is escaping all non-alphanumeric characters the > > right answer? > > > > The program is not privileged, but I don't want people to be able to > > gain privileges as 'nobody' on the web server. > > > > Any suggestions for this ? > > Ken Arnold published a secure popen() in Unix Review years ago (1994?). > It's been used in Vixie Cron and in the TIS Firewall toolkit. (I'm > assuming > those writers copied it from UR as I recognised the code when I saw it.) > The 1999 root bug in Vixie Cron did not arise from a flaw in this but > in the choice of sending mail as root with the username on the command > line - that was 2 errors and it was spotted by M. Zalewski and exploited > by > O. Kirch IIRC. > > This brings us to your question: > > If you do the pipe()-fork()-exec() thing and call > execl("/usr/lib/sendmail","sendmail","-oi","-t"); > you can then pipe in your recipients' names as > > To: abentleyat_private > > and there is no chance of polluting the sendmail command line with > shell metas or "-C". Check all return codes including the one from the > child process. > > -- > ############################################################## > # Antonomasia ant notatla.demon.co.uk # > # See http://www.notatla.demon.co.uk/ # > ##############################################################
This archive was generated by hypermail 2b30 : Wed Jun 20 2001 - 17:38:42 PDT