[cvs] bogofilter/contrib bogopass,1.3,1.4
Matthias Andree
matthias.andree at gmx.de
Wed Dec 4 12:18:48 CET 2002
On Tue, 03 Dec 2002, Allyn Fratkin wrote:
> david, would it be possible to re-release 0.9.1 with bogopass silently
> removed? either that or we should quickly release a 0.9.1.1 or similar
> with a working bogopass.
I'd vote for 0.9.2 with a working bogopass, but not now, there are
questions below.
> who thought one short perl script would cause so much trouble?
Not me, not you, not Suzanne. And David neither.
I'm sorry, I was part of the trouble script. I was wondering if we
should do basic tests for contrib/* programs or if we should rather
spend our time on something else, because it's explicitly marked
interim solution.
> >This trick makes sure it works with perl anywhere on the $PATH, not just
> >/usr/bin. FreeBSD 5 might fail unless we use env.
>
> understood and very clever, however if we are being
> security conscious and setting PATH explicitly later, it doesn't
> make sense to me to search through an unknown PATH to find perl.
Setting it later is for defeating Perl taint checks actually ;-) It
would be an issue if bogopass was installed setuid-root or something,
but it can safely run unprivileged, I had suggested that we set the PATH
explicitly, but then we'd bump into the 32 character limit for the #!
magic that some systems impose.
It's a remainder from when I tried to make bogopass "perl -T" proof, but
that turned out too much of an effort -- we couldn't have used system or
exec the way we do then, and we run in a controlled way.
Should we figure the Perl path at configure time then and create these
scripts with config.status?
> that would be a gaping secuity hole. if we're willing to search
> an unknown PATH to find perl, we might as well just search PATH to
> find unbase64 and bogofilter.
Yes, we might do that.
> >We must not close the file handle yet, unlink0 needs it below.
>
> unlink0 worked fine even if $fh was closed.
"not here", it printed two lines on stderr about stat'ing a closed $fh.
> >I've tried some tricks to figure a failure to start unbase64, but at
> >least my bash will happily launch bogofilter even when it cannot start
> >unbase64 -- so we need to catch the unbase64 failure explicitly.
>
> failing to start unbase64 isn't fatal (although then bogopass would be
> pointless), so perhaps you could do something like
> "(unbase64 || cat) < \"$fn\" | bogofilter -v $options"
The whole point about bogopass is to emulate "bogofilter -p" with
unbase64, so we don't want "cat" in there.
> i am still uncomfortable with the idea of leaving the bogopass tmp
> file in /tmp or basically using a temp file at all. are there any
> thoughts about just keeping the message in memory? it would be much
> speedier and much tigher security-wise.
I believe the way File::Temp deals with it is safe enough. If we're
paranoid, we enforce that /tmp has its sticky bit set (so that files can
only be deleted by their respective owners) and bail out if it's unset,
or use a private .tmp file.
> of course, a large message
> could take up a lot of memory and bogofilter is already keeping quite
> a lot of the message in memory so it would kind of double.
>
> still, perhaps this is just the risk one takes when using bogopass for now?
"Add a swap partition. Disks are cheap." :-)
Seriously, I think we should only fix the remaining /usr/bin/env versus
$PATH consistency issues and keep it the way it is.
More information about the bogofilter-dev
mailing list