cudcv@warwick.ac.uk (Rob McMahon) (04/15/89)
First, thanks for the new version of elm, it went up much easier than the last version. I had two problems. The first was a problem with the rather aged version of Unix running on our Sun2s, which does not support O_CREAT or O_EXCL used in filter/lock.c. The second was rather more important---the use of timezone vs. tzname should not be dependent on BSD, but should have its own feature test. All our machines are BSD flavour, but all have tzname and not timezone, now that there is a public domain version of the zoneinfo stuff. The problem I am really writing about, though, is autoreply/arepdaemon. Unless I am mistaken this is a gaping security hole, if you have any private files, I would not run this. The problem is that arepdaemon does no checking to see if the user can read the file used for reply, so if you want to read a restricted file (like /etc/shadow ?) all you have to do is use autoreply, and then replace the original reply file with a link (symbolic or otherwise) to the file you want to read. Sending mail to the user of autoreply will then return you a copy of the unreadable file. Not nice. In a similar situation, the Berkeley line printer software stashes a copy of the device/inode number pair and compares this against the original before using the file, could this be a solution here ? Rob -- UUCP: ...!mcvax!ukc!warwick!cudcv PHONE: +44 203 523037 JANET: cudcv@uk.ac.warwick ARPA: cudcv@warwick.ac.uk Rob McMahon, Computing Services, Warwick University, Coventry CV4 7AL, England