On Thu, 30 Nov 2000, Dax Kelson wrote:
> Tony Nugent said once upon a time (Thu, 30 Nov 2000):
>
> > ALL: ALL : \
> > spawn ( \
> > /bin/echo -e "\n\
> > TCP Wrappers\: Connection Refused\n\
> > By\: $(uname -n)\n\
> > Process\: %d (pid %p)\n\
> > User\: %u\n\
> > Host\: %c\n\
> > Date\: $(date)\n\
> > "| /bin/mail -s "Wrappers@$(uname -n)\: %d refused for %c" root ) &
>
> Is there any sanity checking that takes place on %u or %c? The remote
> user has control over those values. You are then putting those variables
> on the command line. If those variables aren't thoroughly scrubbed, you
> have a sure recipe for disaster.
>
> It would be safer to use swatch against /var/log/secure.
inetd does the sanity checking for you. From hosts_access(5):
Characters in % expansions that may confuse the shell are
replaced by underscores.
M.
--
WebCentral Pty Ltd Australia's #1 Internet Web Hosting Company
Level 1, 96 Lytton Road. Network Operations - Systems Engineer
PO Box 4169, East Brisbane. phone: +61 7 3249 2583
Queensland, Australia. pgp key id: 0x900E515F
_______________________________________________
Redhat-devel-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-devel-list
