>>>>> "Daniel" == Daniel Feenberg <[EMAIL PROTECTED]> writes:
Heh... I'm going to write about the security here, not about Scott and how he asks questions. :] Daniel> Like you, I don't understand why Scott doesn't answer Daniel> directly, but the rationale seems obvious enough. If Sendmail Daniel> won't obey a .forward in a group or world writable directory Daniel> (for fear that a trojan may executed from that file), why Daniel> should cron be less carefull? Because sendmail has to parse and handle potentially insecure email that was sent by someone malicious. So sendmail tries to be good by refusing to allow unsafe things to happen due to outside interference. In this case, a world writeable directory means that someone could have sendmail forward all your email to someone else. Not good. Cron, on the other hand, can only be setup and run by the user (ignoring root) and cannot be run because a user leaves a world writeable directory around. Cron runs a specific program, not a generic one. Daniel> It seems like a reasonable question. Sure, in context. Daniel> The security problem that sendmail is addressing comes up only Daniel> in the presence of a user error, but the same can be said for Daniel> cron. It's not the same issue at all. Daniel> Indeed, by extension perhaps chmod should refuse to make Daniel> executable such a file, although it would be a nuisance for Daniel> chmod to do the obverse check (that there were no executable Daniel> files in a directory about to become world writable). First off, the executable bit on a directory entry means something else compared to the executable bit on a file. Second, making a directory world writeable is a more conscious decision here (modulo that someone has hacked your account, etc...) Daniel> It isn't something I would be prepared to tell someone else Daniel> they must or must not do this, but it is perhaps worth Daniel> thinking about costs and benefits. Yup, I agree. John _______________________________________________ bblisa mailing list [email protected] http://www.bblisa.org/mailman/listinfo/bblisa
