Lock.PM insecure with -T switch

Peter Bonivart bonivart at opencsw.org
Tue Jun 21 20:08:35 IST 2011


On Tue, Jun 21, 2011 at 8:42 PM, Stuart Henderson <stu at spacehopper.org> wrote:
> "really" untainting would be something more than the
>
> $foo =~ /^(.*)$/;
> $foo = $1;
>
> and similar you see everywhere... running with -U or su'ing
> to the "Run as user" before starting MailScanner isn't really any
> worse than this.

I agree with you and I don't suggest that the people who have trouble
with this should fix this for Julian but if others are capable of
writing, e.g., advanced custom functions and debugging Postfix support
I think they are capable of properly untainting at least some of the
code. It was just an open invitation without targeting anyone
specific.

It comes to a point when you answer the same question x amount of
times you realize that if you fixed the source of the problem instead
you would have saved time. :)

/peter


More information about the MailScanner mailing list