[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: piping to programs
> > Intersting. I switched my home machine switched to zmailer for about half
> > a day before I switched it back to Smail because of problems piping to
> > programs (also mailing list related). But it says piping to programs is
> > not allowed instead of no such user.
>
> I've had that too. I've changed the line in the source that prevents
> userid nobody from piping to programs. Dumb, but effective.
Great, you opened for EVERYBODY a way to execute arbitary
program at your machine!
Now I can telnet to your server, and give recipient address:
RCPT TO:<"|/some/program with args"@your.host>
and have the input fed to that program..
The ``nobody'' is there to prevent that!
The default scripts are troubled with some esoteric aliases,
but I haven't been able to look deeper into what is going on.
/Matti Aarnio <mea@nic.funet.fi> <matti.aarnio@tele.telebox.fi>
(and someday: <matti.aarnio@tele.fi> -- I got my
workstation today, but do mail to me at FUNET about
the ZMailer ...)
> --- transports/mailbox/mailbox.c~ Thu Aug 22 10:12:08 1996
> +++ transports/mailbox/mailbox.c Fri Sep 6 13:34:13 1996
> @@ -811,7 +811,8 @@
> switch (*(rp->addr->user)) {
> case TO_PIPE: /* pipe to program */
> /* one should disallow this if uid == nobody? */
> - if (uid == nobody) {
> + /* if (uid == nobody) {*/
> + if(0) { /* jwr */
> notaryreport("?program?", "failed",
> "5.2.1 (Mail to program disallowed w/o proper privileges)",
> "550 (Mail to program disallowed w/o proper privileges)");
>
>
> J.
>