Majordomo-Users: Majordomo ?insecurity

Majordomo-Users
(May 1993)

Indexed By Thread: [Previous] [Next]

Subject:	Majordomo ?insecurity
From:	Tony Martindale <Tony . Martindale @ vuw . ac . nz>
Date:	Wed, 12 May 1993 13:24:23 +1200
To:	brent @ GreatCircle . COM
Cc:	dhesi @ rahul . net, majordomo-users @ GreatCircle . COM
In-reply-to:	Brent Chapman's message of Mon, 10 May 93 11:31:36 -0700 <9305101831.AA21467@mycroft.GreatCircle.COM>

   Date: Mon, 10 May 93 11:31:36 -0700
   From: Brent Chapman <brent@greatcircle.com>
   Sender: Majordomo-Users-Owner@greatcircle.com

   [stuff deleted]

   I figured somebody would find a security bug like this at some point;
   that's one reason that I recommend setting up a seperate UID and GID
   for Majordomo, to limit the potential for destruction.

 Good quality insurance.

   [more stuff deleted]

   If you're worried about this, you could just comment out the code that
   checks for the "-C" flag or the MAJORDOMO_CF environment variable
   (approximately lines 28-36 in majordomo; note that bounce-remind,
   request-answer, and resend all include that same code fragment and are
   thus also all susceptible to this same problem).

   I just realized that the MAJORDOMO_CF environment variable won't work
   any more anyway, since "wrapper" creates a virgin environment before
   running any program...

 What I've done is built the MAJORDOMO_CF environment variable into
the "virgin environment" (in the same way as BIN, PATH, etc) created by
the wrapper program.  Ripping out the "-C" flag checks in the
majordomo programs and this change eliminates that hole (roll on
others:), but if you run a multiple config file set up you would have
to build seperate wrapper programs for each config file - probably not
a bad idea anyway.

 However, as you say, a "taintperl clean" majordomo would be a better
solution.

 Here are the patches for wrapper.c and Makefile respectively:

56,63c56,60
<     HOME,            /* 0 */
<     PATH,            /* 1 */
<     SHELL,           /* 2 */
< #ifdef MAJORDOMO_CF
<     MAJORDOMO_CF,    /* 3 */
< #endif
<     0,               /* possibly for USER or LOGNAME */
<     0,               /* possible for LOGNAME */
---
>     HOME,     /* 0 */
>     PATH,     /* 1 */
>     SHELL,    /* 2 */
>     0,                /* 3; possibly for USER or LOGNAME */
>     0,                /* 4; possible for LOGNAME */
99,101d95
< #ifdef MAJORDOMO_CF
<     e = 4; /* the first unused slot in new_env[] */
< #else
103d96
< #endif

54d53
< W_MAJORDOMO_CF=/etc/majordomo.cf
58,59c57
<       -DHOME=\"HOME=${W_HOME}\" -DSHELL=\"SHELL=${W_SHELL}\" \
<       -DMAJORDOMO_CF=\"MAJORDOMO_CF=${W_MAJORDOMO_CF}\"
---
>       -DHOME=\"HOME=${W_HOME}\" -DSHELL=\"SHELL=${W_SHELL}\"

Tony Martindale                    Computing Services Centre,
phone: +64 4 495 5051              Victoria University of Wellington,
fax:   +64 4 471 5386              P.O. Box 600, Wellington, NEW ZEALAND.

References:

Re: Majordomo ?insecurity
From: Brent Chapman <brent@GreatCircle.COM>

Indexed By Date	Previous:	Re: Help! From: Brent Chapman <brent@GreatCircle.COM>
Indexed By Date	Next:	Moderation of mail to lists? From: guyton@ruf.rice.edu (William S. Guyton)
Indexed By Thread	Previous:	Re: Majordomo ?insecurity From: Brent Chapman <brent@GreatCircle.COM>
Indexed By Thread	Next:	[adamfox@decartes.super.org: Re: majordomo ] From: Micah Anderson <micah@u.washington.edu>