4.51.4: security concerns, TNEF question

Jeff A. Earickson jaearick at colby.edu
Wed Mar 1 18:50:52 GMT 2006

On Wed, 1 Mar 2006, Julian Field wrote:

>> Whilst staring at the new logging additions to TNEF.pm, I
>> noticed the lines:
>> system("rm -rf /tmp/tnef.$$");
>> Harrumph.  I would recommend replacing this with an unlink()
>> call instead (use -U for directory, or unlink() and rmdir()). It would
>> save the cost of a fork() and exec() to create a subshell.
>> Security-wise, I also get nervous when I do not see a full pathname
>> for "rm" in code that runs as root.
> As someone else has already pointed out, the $PATH is fixed at startup,
> so this is pretty safe.
> To emulate "rm -rf" in Perl, I will have to do quite a clever tree walk,
> as I don't want to follow soft or hard links. "rm -rf" solves a
> non-trivial problem, and I don't like reinventing the wheel. Is it
> really that bad?

I have to concede your point.  Going back and looking at the perldoc
for unlink() I now realize that the "-U" is not an arg to unlink()
but an arg to perl itself as in "do Unsafe things as root".  Yikes.

>> Likewise, I spotted similar relative-path system() calls in
>> f-prot-autoupdate  (wget, cp, unzip)
>> rav-autoupdate  (chmod)
>> vexira-autoupdate (wget)
>> Maybe you would want to replace the "system($rm..." calls elsewhere
>> (eg, sophos-autoupdate) with similar unlink() calls?
> I will have to take a look at these. It depends what the rm options
> given are.
>> On another note, I see the syslogging for "added TNEF contents"
>> in TNEF.pm, but no "replaced TNEF contents" anywhere.  Is there
>> syslogging of a "replace TNEF" event?
> If the TNEF contents have been successfully extracted, then the
> winmail.dat file is deleted elsewhere. Try taking a look in Message.pm
> (I think). Grep for winmail.dat and you should find it, or else
> 'foundtnefattachments'. The TNEF contents are added in 1 place. If
> successful and what the user wanted, then the winmail.dat file is
> deleted later. It's around line 1569 in Message.pm.

Ok, confusion on my part.  The one example that I have seen go by
this morning since upgrading is:

Mar  1 12:14:36 basalt sendmail[3845]: [ID 801593 mail.info] k21HERwo003845: from=<xxx=colby.edu at returns.groups.yahoo.com>, size=36670, class=-60, nrcpts=1, msgid=<775EC5882A29A34DBC4F95D80DDF61FE01757CCD at s31xe5.systems.smu.edu>, proto=SMTP, daemon=MTA, relay=n27.bullet.scd.yahoo.com []
Mar  1 12:14:49 basalt <22>MailScanner[14496]: Expanding TNEF archive at /tmp/14496/k21HERwo003845/winmail.dat
Mar  1 12:14:49 basalt <22>MailScanner[14496]: Message k21HERwo003845 added TNEF contents image.jpg
Mar  1 12:14:51 basalt sendmail[4123]: [ID 801593 mail.info] k21HERwo003845: to=<xxx at colby.edu>, delay=00:00:16, xdelay=00:00:00, mailer=local, pri=264670, dsn=2.0.0, stat=Sent
Mar  1 12:14:51 basalt sendmail[4123]: [ID 801593 mail.info] k21HERwo003845: done; delay=00:00:16, ntries=1

I just have to know that "added" means "replaced" in my case.
I look forward to this new feature solving my headaches with
remote Exchange users.  Many thanks!

Jeff Earickson
Colby College

More information about the MailScanner mailing list