Finding sendmail during configure (was: [INN-COMMITTERS] ...)
rra at stanford.edu
Tue Sep 2 18:09:59 UTC 2003
Forrest J Cavalier <mibsoft at epix.net> writes:
> I believe remote attackers have control over what INN passes to
> sendmail, including some control over message headers. Couple this with
> sendmail bugs, and someone could own a lot (admittedly not all...depends
> on configuration) of Usenet servers, by posting a newgroup message.
I'm not seeing where control messages offer any control over anything
other than the sanitized message body, apart from some extremely
well-checked data that goes into the Subject line.
Moderated group submissions are probably more of the issue. But I don't
see how specifying the location of sendmail actually helps this any.
> If people are complaining about this, too bad. If sendmail had a
> different history, I would agree that this could be auto-selected. But
> that is not the world we live in.
The fact remains that this is what every other package does, and this is
what people expect. Including myself.
> But I recognize that there are differences of opinion here. I am not
> going to sulk due to this change, but I think it is a mistake and
> unnecessary risk. I think it is GOOD that INN does not always do what
> other packages do when installing.
Wow, that's a pretty major difference of opinion... I consider it to
almost always be a bug. (It's not installing so much as configuring in
this particular instance.)
But I'd love to hear other opinions....
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
Please send questions to the list rather than mailing me directly.
<http://www.eyrie.org/~eagle/faqs/questions.html> explains why.
More information about the inn-workers