Skip site navigation (1)Skip section navigation (2)
Date:      Sat,  5 Dec 1998 15:49:37 -0500
From:      Timothy J Luoma <public+FreeBSD@fdt.net>
To:        <mgrommet@insolwwb.net>
Cc:        <freebsd-questions@FreeBSD.ORG>
Subject:   Re: Advice on sendmail / execution of programs through .forward
Message-ID:  <199812052049.PAA08277@ocalhost>
In-Reply-To: <A199D70FC96DD211AD1000609767926103598F@ISIMAIL>
References:  <A199D70FC96DD211AD1000609767926103598F@ISIMAIL>

next in thread | previous in thread | raw e-mail | index | archive | help
	Author:	mike grommet <mgrommet@insolwwb.net>
	Date:	Fri, 4 Dec 1998 14:06:35 -0600
	ID:	<A199D70FC96DD211AD1000609767926103598F@ISIMAIL>

> Now, its quite convenient to be able to run programs from .forward,
> procmail comes to mind immediately...

Make procmail the LDA and it doesn't need a .forward file to run.

However, letting run procmail is as much of a problem, since all they need  
to do is:

:0
* ^Subject: launch-xterm-for-me
|/path/to/whatever

and mail themselves an email with the Subject: 'launch-xterm-for-me'

I think removing the execute bit for regular users is the real answer.


> I mean, it seems quite possible for a user to upload some sort
> of exploit and an appropriate  .forward via ftp, send mail to
> himself and WHAM. Life gets real bad.

Why let them FTP anything?

TjL



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199812052049.PAA08277>