On Wed, 2007-10-10 at 05:20 +0000, zamri wrote: > > > On 10/8/07, Aaron Stone <[EMAIL PROTECTED]> wrote: > On Mon, 2007-10-08 at 09:35 +0000, zamri wrote: > > > > > > On 10/5/07, Aleksander Kamenik <[EMAIL PROTECTED]> > wrote: > > Paul J Stevens wrote: > > > happy testing. > > > > On it. > > > > I noticed this warning during compilation: > > > > /root/dbmail-2.2.7-rc3/sievecmd.c:370: warning: the use of > `tempnam' > > is dangerous, better use `mkstemp' > > > > > > It might be in 2.2.7-rc2 too. I haven't checked it. Just let > you > > know. > > It's for the edit script mode in dbmail-sievecmd. I needed to > know the > name of the temporary file so that I could pass it as an > argument to the > EDITOR command, and none of the more secure temporary file > variants hand > back the file name. (Or if I missed one, please clue me in :-) > > Aaron > > With the word "dangerous" here, is there any real security issue for > running dbmail-timsieved? In what situation?
Here's the possible attack: someone with shell access captures the tmp file that dbmail-sievecmd makes while you are using it in live edit mode, then inserts a script that does something unpleasant with mail for that one user (discard, redirect, lots of vacations, etc.). That's it. I don't see any real world problem. Aaron _______________________________________________ DBmail mailing list [email protected] https://mailman.fastxs.nl/mailman/listinfo/dbmail
