[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: sender rewriting fixed and other misc things

On Wed, Jan 03, 2001 at 06:28:17PM +0300, Eugene Crosser wrote:
> > > 3. X-Envelope-To: contains irrelevant figure for uid (nobody's?)
> > 
> >      In case of pipe runs or file storages it should be indicative
> >      of what privilege is used to run the injection.  For mailbox
> >      injection things work differently, of course.
> Not pipes!  That's what is written into user's mailbox.
> The mailbox file itself, if it needs to be created, has correct
> owner, but the value in the X-Envelope-To is incorrect.

  I mean that for mailbox writing the RECIPIENT QUAD contained privilege
  value is as much as ignored.  It is often "nobody", as it indicates
  trustworthiness of the source of the recipient address.  Consider e.g.
  <"|/prog/path"@localhost> type of inputs -- external SMTP source must
  not be allowed to execute arbitary commands, that is purely internal

> Eugene

/Matti Aarnio	<mea@nic.funet.fi>