RE: Secure popen

From: SBNelsonat_private
Date: Wed Jun 20 2001 - 06:14:59 PDT

Next message: Glynn Clements: "Re: Secure popen"

Previous message: Aaron Bentley: "Re: Secure popen"
Maybe in reply to: Aaron Bentley: "Secure popen"
Next in thread: Peter Jeremy: "Re: Secure popen"
Next in thread: Glynn Clements: "Re: Secure popen"
Next in thread: Kai Schulte: "Re: Secure popen"
Reply: Peter Jeremy: "Re: Secure popen"
Reply: Glynn Clements: "RE: Secure popen"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Please help me understand.  What would be wrong with using popen(2) with
"/usr/lib/sendmail -oi -t" and passing the to/subject lines via input to
sendmail?  Is there something wrong with popen itself?

> -----Original Message-----
> From:	antat_private [SMTP:antat_private]
> Sent:	Tuesday, June 19, 2001 3:25 PM
> To:	abentleyat_private; secprogat_private
> Subject:	Re: Secure popen
> 
> From: Aaron Bentley <abentleyat_private>
> 
> > I'm writing a CGI program in C++ that sends email.  I'm using Sendmail
> > for the transmission, so I need a command that lets me specify stdin for
> > Sendmail.
> > I understand popen() is not very secure, because it uses the shell to
> > execute the command, but I don't know of a safe alternative.  I can
> > sanitize my input, but is escaping all non-alphanumeric characters the
> > right answer?
> > 
> > The program is not privileged, but I don't want people to be able to
> > gain privileges as 'nobody' on the web server.
> > 
> > Any suggestions for this ?
> 
> Ken Arnold published a secure popen() in Unix Review years ago (1994?).
> It's been used in Vixie Cron and in the TIS Firewall toolkit.  (I'm
> assuming
> those writers copied it from UR as I recognised the code when I saw it.)
> The 1999 root bug in Vixie Cron did not arise from a flaw in this but
> in the choice of sending mail as root with the username on the command
> line - that was 2 errors and it was spotted by M. Zalewski and exploited
> by
> O. Kirch IIRC.
> 
> This brings us to your question:
> 
> If you do the pipe()-fork()-exec() thing and call
>     execl("/usr/lib/sendmail","sendmail","-oi","-t");
> you can then pipe in your recipients' names as
> 
> To: abentleyat_private
> 
> and there is no chance of polluting the sendmail command line with
> shell metas or "-C".  Check all return codes including the one from the
> child process.
> 
> --
> ##############################################################
> # Antonomasia   ant notatla.demon.co.uk                      #
> # See http://www.notatla.demon.co.uk/                        #
> ##############################################################

Next message: Glynn Clements: "Re: Secure popen"
Previous message: Aaron Bentley: "Re: Secure popen"
Maybe in reply to: Aaron Bentley: "Secure popen"
Next in thread: Peter Jeremy: "Re: Secure popen"
Next in thread: Glynn Clements: "Re: Secure popen"
Next in thread: Kai Schulte: "Re: Secure popen"
Reply: Peter Jeremy: "Re: Secure popen"
Reply: Glynn Clements: "RE: Secure popen"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jun 20 2001 - 17:38:42 PDT