RE: Secure popen

From: SBNelsonat_private
Date: Wed Jun 20 2001 - 06:14:59 PDT

  • Next message: Glynn Clements: "Re: Secure popen"

    Please help me understand.  What would be wrong with using popen(2) with
    "/usr/lib/sendmail -oi -t" and passing the to/subject lines via input to
    sendmail?  Is there something wrong with popen itself?
    
    > -----Original Message-----
    > From:	antat_private [SMTP:antat_private]
    > Sent:	Tuesday, June 19, 2001 3:25 PM
    > To:	abentleyat_private; secprogat_private
    > Subject:	Re: Secure popen
    > 
    > From: Aaron Bentley <abentleyat_private>
    > 
    > > I'm writing a CGI program in C++ that sends email.  I'm using Sendmail
    > > for the transmission, so I need a command that lets me specify stdin for
    > > Sendmail.
    > > I understand popen() is not very secure, because it uses the shell to
    > > execute the command, but I don't know of a safe alternative.  I can
    > > sanitize my input, but is escaping all non-alphanumeric characters the
    > > right answer?
    > > 
    > > The program is not privileged, but I don't want people to be able to
    > > gain privileges as 'nobody' on the web server.
    > > 
    > > Any suggestions for this ?
    > 
    > Ken Arnold published a secure popen() in Unix Review years ago (1994?).
    > It's been used in Vixie Cron and in the TIS Firewall toolkit.  (I'm
    > assuming
    > those writers copied it from UR as I recognised the code when I saw it.)
    > The 1999 root bug in Vixie Cron did not arise from a flaw in this but
    > in the choice of sending mail as root with the username on the command
    > line - that was 2 errors and it was spotted by M. Zalewski and exploited
    > by
    > O. Kirch IIRC.
    > 
    > This brings us to your question:
    > 
    > If you do the pipe()-fork()-exec() thing and call
    >     execl("/usr/lib/sendmail","sendmail","-oi","-t");
    > you can then pipe in your recipients' names as
    > 
    > To: abentleyat_private
    > 
    > and there is no chance of polluting the sendmail command line with
    > shell metas or "-C".  Check all return codes including the one from the
    > child process.
    > 
    > --
    > ##############################################################
    > # Antonomasia   ant notatla.demon.co.uk                      #
    > # See http://www.notatla.demon.co.uk/                        #
    > ##############################################################
    



    This archive was generated by hypermail 2b30 : Wed Jun 20 2001 - 17:38:42 PDT