On Mon, Apr 15, 2019 at 2:26 PM Ian Lepore <i...@freebsd.org> wrote: > > On Mon, 2019-04-15 at 18:53 +0000, Kyle Evans wrote: > > Author: kevans > > Date: Mon Apr 15 18:53:28 2019 > > New Revision: 346252 > > URL: https://svnweb.freebsd.org/changeset/base/346252 > > > > Log: > > cron(8): Add MAILFROM ability for crontabs > > > > This changes the sender mail address in a similar fashion to how MAILTO > > may > > change the recipient. The default from address remains unchanged. > > > > MFC after: 1 week > > > > Modified: > > head/usr.sbin/cron/cron/cron.8 > > head/usr.sbin/cron/cron/do_command.c > > head/usr.sbin/cron/crontab/crontab.5 > > > > Is this going to allow normal users to spoof the From: using private > crontabs? That sounds mildly dangerous. > > -- Ian
I think my description here was lacking- this is a per-crontab environment variable, so yes: a user may spoof the from address in a private crontab for jobs within that crontab. I don't know how much of a security concern this is, but I peaked at cronie [1] after you brought this up and observed that their implementation is effectively the same restriction-wise, but with sanity checking for both mailfrom/mailto values. [1] https://github.com/cronie-crond/cronie/blob/master/src/do_command.c _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"