Re: [Nmh-workers] Questionable code in m_chkids() in sbr/context_save.c

2005-05-18 Thread Neil W Rickert
Ken Hornstein <[EMAIL PROTECTED]> wrote on May 18, 2005: >>>(AFAIK sendmail and friends always run stuff under the user's real and >>>effective uid, so I don't think slocal should ever be setuid). >>If you run "slocal" from ".forward", then it runs as the recipient >>(the person using ".forward")

Re: [Nmh-workers] Questionable code in m_chkids() in sbr/context_save.c

2005-05-18 Thread Mike O'Dell
"I run 'slocal' in *my* '.forward'! Ask for it by name!" -mo ___ Nmh-workers mailing list Nmh-workers@nongnu.org http://lists.nongnu.org/mailman/listinfo/nmh-workers

Re: [Nmh-workers] Questionable code in m_chkids() in sbr/context_save.c

2005-05-18 Thread Ken Hornstein
>>(AFAIK sendmail and friends always run stuff under the user's real and >>effective uid, so I don't think slocal should ever be setuid). > >If you run "slocal" from ".forward", then it runs as the recipient >(the person using ".forward"). But there are advantages to running >slocal as a mailer de

Re: [Nmh-workers] Questionable code in m_chkids() in sbr/context_save.c

2005-05-18 Thread Neil W Rickert
Ken Hornstein <[EMAIL PROTECTED]> wrote on May 16, 2005: >(AFAIK sendmail and friends always run stuff under the user's real and >effective uid, so I don't think slocal should ever be setuid). If you run "slocal" from ".forward", then it runs as the recipient (the person using ".forward"). But t

Re: [Nmh-workers] Questionable code in m_chkids() in sbr/context_save.c

2005-05-17 Thread Ken Hornstein
>I perhaps overstated things. Better would be that, with only one >exception, I cannot think of a reason to run the mh commands setuid. I seem to recall that in some setups "inc" was setgid, so it could create lock files in the mail spool directory. Not the same as setuid, of course, but maybe i

Re: [Nmh-workers] Questionable code in m_chkids() in sbr/context_save.c

2005-05-14 Thread Josh Bressers
> In other words, I don't see a serious problem with just leaving the > code as it is for the present. Or perhaps add a comment that this > should be reviewed if/when the code is revamped. The dangerous part about leaving bad code lie, is that someday, someone will try to use it. Why doesn't som

Re: [Nmh-workers] Questionable code in m_chkids() in sbr/context_save.c

2005-05-13 Thread Neil W Rickert
Jon Steinhart <[EMAIL PROTECTED]> wrote on May 13, 2005: >> Jon Steinhart <[EMAIL PROTECTED]> wrote on May 13, 2005: >> >Saw this while looking for something else. >> >m_chkids() forks a child process to run context_save() if the >> >uid is not the same as the euid. But, it ends up running as >

Re: [Nmh-workers] Questionable code in m_chkids() in sbr/context_save.c

2005-05-13 Thread Jon Steinhart
> Jon Steinhart <[EMAIL PROTECTED]> wrote on May 13, 2005: > > >Saw this while looking for something else. > > >m_chkids() forks a child process to run context_save() if the > >uid is not the same as the euid. But, it ends up running as > >if the uid and euid are the same if the fork() fails. S

Re: [Nmh-workers] Questionable code in m_chkids() in sbr/context_save.c

2005-05-13 Thread Neil W Rickert
Jon Steinhart <[EMAIL PROTECTED]> wrote on May 13, 2005: >Saw this while looking for something else. >m_chkids() forks a child process to run context_save() if the >uid is not the same as the euid. But, it ends up running as >if the uid and euid are the same if the fork() fails. Seems >to me th

[Nmh-workers] Questionable code in m_chkids() in sbr/context_save.c

2005-05-13 Thread Jon Steinhart
Saw this while looking for something else. m_chkids() forks a child process to run context_save() if the uid is not the same as the euid. But, it ends up running as if the uid and euid are the same if the fork() fails. Seems to me that this should be an error. I realize that it will probably re