Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

rmail and leading "-" in address

0 views
Skip to first unread message

Michael Grimm

unread,
Oct 20, 2008, 5:34:16 PM10/20/08
to
Hi -

I'm receiving my mail via UUCP, thus '/bin/rmail' will be called by
'/usr/local/libexec/uucp/uuxqt', and I'm receiving a lot of spam from
dumb spammers using guessed email addresses with leading '-' like
'-impo...@example.tld'.

This will result in an uuxqt call ...

/bin/rmail -impo...@example.tld

... with an UUCP error, which is absolutely correct, because rmail
doesn't know of any parameter '-impo...@example.tld'.

Workaround is a wrapper script calling 'rmail -- $*'.
(all on an uptodate 6.3-RELEASE)

Ok, now my questions because I'm still considering myself a BSD newbie.

1) /bin/rmail is part of FBSD, correct?
2) every update or upgrade will overwrite my wrapper /etc/rmail,
correct?
3) as UUCP isn't used any longer that much, that behavior will not have
been fixed in 7.x?
4) should I report this as a bug and propose that wrapper?
5) live with it? ;-)

Regards,
Michael
--
to let

Warren Block

unread,
Oct 20, 2008, 7:56:41 PM10/20/08
to
Michael Grimm <tras...@odo.in-berlin.de> wrote:
>
> I'm receiving my mail via UUCP, thus '/bin/rmail' will be called by
> '/usr/local/libexec/uucp/uuxqt', and I'm receiving a lot of spam from
> dumb spammers using guessed email addresses with leading '-' like
> '-impo...@example.tld'.
>
> This will result in an uuxqt call ...
>
> /bin/rmail -impo...@example.tld
>
> ... with an UUCP error, which is absolutely correct, because rmail
> doesn't know of any parameter '-impo...@example.tld'.

That seems insecure.

> Workaround is a wrapper script calling 'rmail -- $*'.
> (all on an uptodate 6.3-RELEASE)
>
> Ok, now my questions because I'm still considering myself a BSD newbie.
>
> 1) /bin/rmail is part of FBSD, correct?

Looks like it, yes.

> 2) every update or upgrade will overwrite my wrapper /etc/rmail,
> correct?

Only if it were part of the upgrade. For example, you can count on a
new version of ls when you upgrade the system. But the process
generally isn't going to wipe out directories, so files you've created
will stick around. Unless they're overwritten by new files using the
same name you picked, which is unlikely.

However: /etc is not a good place for scripts. On FreeBSD,
/usr/local/bin would be a more logical place.

> 3) as UUCP isn't used any longer that much, that behavior will not have
> been fixed in 7.x?

Don't know.

> 4) should I report this as a bug and propose that wrapper?

It seems like a bug in uuxqt. Maybe check with the port maintainer on
that before filing a PR on rmail.

> 5) live with it? ;-)

Getting it fixed maybe helps you in the future and maybe somebody else
won't have to find and fix the same problem.

--
Warren Block * Rapid City, South Dakota * USA

Michael Grimm

unread,
Oct 21, 2008, 1:47:23 AM10/21/08
to
Warren Block <wbl...@wonkity.com> wrote:
> Michael Grimm <tras...@odo.in-berlin.de> wrote:

>> I'm receiving my mail via UUCP, thus '/bin/rmail' will be called by
>> '/usr/local/libexec/uucp/uuxqt', and I'm receiving a lot of spam from
>> dumb spammers using guessed email addresses with leading '-' like
>> '-impo...@example.tld'.
>>
>> This will result in an uuxqt call ...
>>
>> /bin/rmail -impo...@example.tld
>>
>> ... with an UUCP error, which is absolutely correct, because rmail
>> doesn't know of any parameter '-impo...@example.tld'.
>
> That seems insecure.

-v, please.

>> 2) every update or upgrade will overwrite my wrapper /etc/rmail,
>> correct?

Sorry. That's been a dumb typo of mine. I meant '/bin/rmail'. That
wrapper script needs to be put into '/bin' with the isame name
'/bin/rmail' in order to allow uuxqt to access it. The original
'/bin/rmail' is renamed into '/bin/rmail-excecutable'. Sorry, that
was very much misleading :-(

> Only if it were part of the upgrade. For example, you can count on a
> new version of ls when you upgrade the system. But the process
> generally isn't going to wipe out directories, so files you've created
> will stick around. Unless they're overwritten by new files using the
> same name you picked, which is unlikely.

I believe that now it should be clear why I assume that an upgrade or
update will overwrite a wrapper script called '/bin/rmail'.

>> 4) should I report this as a bug and propose that wrapper?
>
> It seems like a bug in uuxqt. Maybe check with the port maintainer on
> that before filing a PR on rmail.

Hmm. The local part with a leading '-' are prefectly correct for email
addresses, if I'm not mistaken. The usage of rmail out of uuxqt is
'/bin/rmail <email address>'. And uuxqt itself just fires up that
command. Therefore I would rather try to contact the developers
responsible for rmail? Please, correct me if I'm mistaken.

>> 5) live with it? ;-)
>
> Getting it fixed maybe helps you in the future and maybe somebody else
> won't have to find and fix the same problem.

ACK ;-)

Giorgos Keramidas

unread,
Oct 20, 2008, 9:52:19 PM10/20/08
to
On Mon, 20 Oct 2008 21:34:16 +0000 (UTC),
Michael Grimm <tras...@odo.in-berlin.de> wrote:
> Hi -
>
> I'm receiving my mail via UUCP, thus '/bin/rmail' will be called by
> '/usr/local/libexec/uucp/uuxqt', and I'm receiving a lot of spam from
> dumb spammers using guessed email addresses with leading '-' like
> '-impo...@example.tld'.
>
> This will result in an uuxqt call ...
>
> /bin/rmail -impo...@example.tld
>
> ... with an UUCP error, which is absolutely correct, because rmail
> doesn't know of any parameter '-impo...@example.tld'.
>
> Workaround is a wrapper script calling 'rmail -- $*'.
> (all on an uptodate 6.3-RELEASE)
>
> Ok, now my questions because I'm still considering myself a BSD newbie.
>
> 1) /bin/rmail is part of FBSD, correct?
> 2) every update or upgrade will overwrite my wrapper /etc/rmail,
> correct?

You mean `/bin/rmail', right?

> 3) as UUCP isn't used any longer that much, that behavior will not have
> been fixed in 7.x?
> 4) should I report this as a bug and propose that wrapper?
> 5) live with it? ;-)

This looks like a bug in `uuxqt', so a better fix would be to patch
*that* program, and submit the fix to the FreeBSD port maintainer.

Warren Block

unread,
Oct 21, 2008, 10:48:58 AM10/21/08
to
Michael Grimm <tras...@odo.in-berlin.de> wrote:
> Warren Block <wbl...@wonkity.com> wrote:
>> Michael Grimm <tras...@odo.in-berlin.de> wrote:
>
>>> I'm receiving my mail via UUCP, thus '/bin/rmail' will be called by
>>> '/usr/local/libexec/uucp/uuxqt', and I'm receiving a lot of spam from
>>> dumb spammers using guessed email addresses with leading '-' like
>>> '-impo...@example.tld'.
>>>
>>> This will result in an uuxqt call ...
>>>
>>> /bin/rmail -impo...@example.tld
>>>
>>> ... with an UUCP error, which is absolutely correct, because rmail
>>> doesn't know of any parameter '-impo...@example.tld'.
>>
>> That seems insecure.
>
> -v, please.

Letting someone outside your system send uncontrolled options to an
internal program can be dangerous in general.

http://xkcd.com/327/

Mark Andrews

unread,
Oct 21, 2008, 7:02:02 PM10/21/08
to
In article <gdjqdb$1rvp$1...@odo.in-berlin.de>,

But that isn't the FULL calling sequence for /bin/rmail.

uuxqt should be calling /bin/rmail safely.

e.g.
/bin/rmail -- <email address>

It's something that lots of developers fail to remember.

uuxqt is broken based on the description, not rmail.

Mark

Michael Grimm

unread,
Oct 22, 2008, 1:53:06 PM10/22/08
to

Ok. Understood. I'll either try fix it myself, or ask the maintainer
for help.

Thanks to all of you.

0 new messages