Great Circle Associates Majordomo-Users
(November 1993) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: SECURITY NOTICE Re: Majordomo and the new "smrsh" Sendmail security fix
From: Brent Chapman <brent @ mycroft . GreatCircle . COM>
Date: Wed, 10 Nov 1993 19:11:26 -0800
To: majordomo-users @ GreatCircle . COM
In-reply-to: Your message of Mon, 08 Nov 1993 19:24:31 -0800 
Brent Chapman <brent@mycroft.GreatCircle.COM> writes:

# Just a couple of notes about running Majordomo with the new "smrsh"
# security fix for Sendmail.  

    ...

# Second, if you're using the backquoting trick for long "resend"
# arguments that I posted here a few weeks ago, you'll either need
# to give up the trick, or modify your version of "smrsh" _not_ to
# look for "`" in the list of "SPECIAL" characters.  As a reminder,
# the "backquoting trick" was to set your aliases up like this:
# 
# 	my-list: "|/usr/local/mail/majordomo/wrapper resend 
# 		`/bin/cat /usr/local/mail/lists/my-list.resend`
# 		my-list-outgoing"
# 
# and put all the arguments to resend in the "my-list.resend" file,
# instead of putting all the arguments to resend in the "aliases" entry
# (because the aliases entry has a 256 byte limit, and it's real easy to
# exceed that with lots of arguments to resend).

VERY BAD IDEA!!!  Sorry I even suggested it without thinking it all the
way through in light of the latest round of Sendmail bugs.  I hope none
of you have actually done it yet, or if you have, that it hasn't caused
you any security problems...

I've modified my version of "resend" so that, instead of using "/bin/cat"
and backquotes to read the file full of flags, you can say "@filename".
I.e., the example above becomes:

	my-list: "|/usr/local/mail/majordomo/wrapper resend
		@/usr/local/mail/lists/my-list.resend
		my-list-outgoing"

This means that you DON'T have to remove "`" from the list of special
characters that smrsh checks for, and that's a good thing.

Since I never mentioned the backquote trick in any of the released
documentation or examples (only in postings here on Majordomo-Users),
I'm not going to release a whole new Majordomo package right now with
this new version of "resend".  If you _were_ using the trick, though,
and you want the new version of "resend", it is available for anonymous
FTP from FTP.GreatCircle.COM, file "pub/majordomo/resend.1.19.shar".


-Brent
--
Brent Chapman                                   Great Circle Associates
Brent@GreatCircle.COM                           1057 West Dana Street
+1 415 962 0841                                 Mountain View, CA  94041
Indexed By Date Previous: Re: question & 2 gotchas
From: Karl Swartz <kls@ohare.Chicago.COM>
Next: majordomo and sendmail 8.6.4
From: Tim Irvin <irvin@kerner.com>
Indexed By Thread Previous: Administrivia: new Majordomo-Users archive layout and "info" file
From: Brent Chapman <brent@mycroft.GreatCircle.COM>
Next: majordomo and sendmail 8.6.4
From: Tim Irvin <irvin@kerner.com>
Google
 
Search Internet Search www.greatcircle.com