Re: Secure popen

From: Rodrigo Barbosa (rodrigobat_private)
Date: Wed Jun 20 2001 - 18:02:21 PDT

  • Next message: Kai Schulte: "Re: Secure popen"

    On Wed, Jun 20, 2001 at 01:18:08PM +0100, Glynn Clements wrote:
    > > Why you must run sendmail ? Why don't you simply create a SMTP connection
    > > to your daemon, and send your e-mail just like any good manared e-mail
    > > program should do ?
    > 
    > Because invoking /usr/lib/sendmail is the standard mechanism for
    > sending mail on a Unix system. You should not assume that an SMTP
    > server is available, or even that the system supports TCP/IP.
    
    I don't agree with this. The SMTP server is avaliable (even if it's not
    localy), once Sendmail is being used (I bet they are not using UUCP).
    And second, it's a CGI. CGI runs over a Web server. Web servers used the
    HTTP protocol. The HTTP protocol is implemented over TCP/IP.
    And, anyway, involking sendmail may be the standard, if by that you mean
    "the most common". It's not the only MTA avalible. I myself don't use it.
    
    > > There is no way to use popen in a sane way, AFAIK. 
    > 
    > It's not that hard to escape shell commands correctly[1], although I
    > would choose the solution which most of the replies suggested:
    > pipe/fork/dup/exec.
    
    I agree this is a good way to do it. A little more troublesome then 
    implementing a simple SMTP connection, but a good way, none the less.
    And escaping shell commands it's not that simple.
    
    So, it apears the "pipe/fork/dup/exec" solution is the only one everyone
    agrees uppon.
    
    -- 
     Rodrigo Barbosa                   - rodrigob at bh.conectiva.com.br
     Conectiva S/A			   - Belo Horizonte, MG, Brazil
     "Quis custodiet ipsos custodiet?" - http://www.conectiva.com/
    
    
    
    



    This archive was generated by hypermail 2b30 : Wed Jun 20 2001 - 20:29:05 PDT