Beefy Boxes and Bandwidth Generously Provided by pair Networks
Think about Loose Coupling
 
PerlMonks  

Re^2: Sanity check: Tiny wrapper script for /bin/mail

by FloydATC (Chaplain)
on Dec 01, 2013 at 12:19 UTC ( #1065141=note: print w/ replies, xml ) Need Help??


in reply to Re: Sanity check: Tiny wrapper script for /bin/mail
in thread Sanity check: Tiny wrapper script for /bin/mail

Hmm...

The wrapper script doesn't elevate privileges in any way so if you want to touch /root/evilfile then you need root privileges. In which case you can touch whatever you like. Or am I missing something?

Also, I think in your proposal the data on STDIN would be lost, but I have not tested it either. Using eof() is a simpler way to check for data but in practice it wouldn't save anything in this case. Reading from an EOF handle shouldn't take long, and if it's not EOF then I need to read the data anyway. (Or pass it to /bin/mail some other way?)

-- FloydATC

Time flies when you don't know what you're doing


Comment on Re^2: Sanity check: Tiny wrapper script for /bin/mail
Select or Download Code
Re^3: Sanity check: Tiny wrapper script for /bin/mail
by aitap (Deacon) on Dec 01, 2013 at 20:32 UTC

    But if you wanted to send an e-mail with "; touch /root/evilfile" as a subject, you will end up creating a file instead. Also, arguments containing spaces simply break, because, given @ARGV=("login@host", "-s", "some topic") you run /bin/mail login@host -s some topic - without quotes or (preferrably) stating array of command line arguments (multi-argument form of open/system/exec).

    Examples of bad behaviour which can be solved using open(my $ch, "|-", "/bin/mail", @ARGV):

    $ cat if-mail.pl #!/usr/bin/perl exit 0 unless (my @lines = <STDIN>); open(my $mail, "|-", join " ", "/usr/bin/mail", @ARGV) or die $!; print $mail @lines; $ LC_ALL=C ./if-mail.pl root@localhost -s "do not run echo; touch ~/zz +z && ls ~/zzz - it does not make sense" TEST ^D ls: cannot access -: No such file or directory ls: cannot access it: No such file or directory ls: cannot access does: No such file or directory ls: cannot access not: No such file or directory ls: cannot access make: No such file or directory ls: cannot access sense: No such file or directory /home/aitap/zzz $ ./if-mail.pl root@localhost -s "try running echo *" TEST ^D
    Trying to read the mail, I get:

    Also, I think in your proposal the data on STDIN would be lost, but I have not tested it either.
    I was thinking about the simpliest way of passing the STDIN by just jeaving it to the process being executed, but yes, using eof on STDIN before the exec does indeed lose the first line of input (even on pipes). I have not figured a way around this, neither $|++ nor setbuf helped.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://1065141]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others taking refuge in the Monastery: (5)
As of 2014-12-28 22:28 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (183 votes), past polls