svn commit: r346252 - in head/usr.sbin/cron: cron crontab
Kyle Evans
kevans at freebsd.org
Mon Apr 15 19:44:24 UTC 2019
On Mon, Apr 15, 2019 at 2:26 PM Ian Lepore <ian at freebsd.org> wrote:
>
> On Mon, 2019-04-15 at 18:53 +0000, Kyle Evans wrote:
> > Author: kevans
> > Date: Mon Apr 15 18:53:28 2019
> > New Revision: 346252
> > URL: https://svnweb.freebsd.org/changeset/base/346252
> >
> > Log:
> > cron(8): Add MAILFROM ability for crontabs
> >
> > This changes the sender mail address in a similar fashion to how MAILTO may
> > change the recipient. The default from address remains unchanged.
> >
> > MFC after: 1 week
> >
> > Modified:
> > head/usr.sbin/cron/cron/cron.8
> > head/usr.sbin/cron/cron/do_command.c
> > head/usr.sbin/cron/crontab/crontab.5
> >
>
> Is this going to allow normal users to spoof the From: using private
> crontabs? That sounds mildly dangerous.
>
> -- Ian
I think my description here was lacking- this is a per-crontab
environment variable, so yes: a user may spoof the from address in a
private crontab for jobs within that crontab. I don't know how much of
a security concern this is, but I peaked at cronie [1] after you
brought this up and observed that their implementation is effectively
the same restriction-wise, but with sanity checking for both
mailfrom/mailto values.
[1] https://github.com/cronie-crond/cronie/blob/master/src/do_command.c
More information about the svn-src-all
mailing list