[web-devel] path to sendmail

Michael Snoyman michael at snoyman.com
Tue Feb 9 17:55:16 UTC 2016 

Two thoughts come to mind:

* Hard-code into the application a list of common sendmail locations and
search them
* Allow some kind of configuration (via file, env var, etc) to specify
sendmail location at launch

The first may sound slightly dangerous, but if you're already searching the
PATH for `sendmail`-named binaries, I don't think it's any worse. I'd
definitely include a configuration override to set the location of the
sendmail executable and override any searching (via list of paths or the
PATH var).

On Tue, Feb 9, 2016 at 7:46 PM, Jeremy Shaw <jeremy at n-heptane.com> wrote:

> Hello,
>
> I have a web application which needs to send mail using sendmail.
>
> However, the way the system is configured, sendmail is not in the web
> server's $PATH.
>
> There are two fixes for this -- change the init script so that sendmail is
> in the $PATH -- or modify the web server so that the admin can set the path
> to sendmail via the control panel.
>
> At first the second option sounds good. But I wonder about the security
> implications. If someone manages to get the password for the admin control
> panel -- they could change the path to sendmail to something else -- like
> `vim` or `gcc` and then somehow craft a message that would place a backdoor
> on the system.
>
> Now, given that the input to the message is going to be a mime message
> that sounds pretty difficult. But, then again, in December tons of Joomla
> sites were open to an exploit where a malformed user-agent header allowed
> hackers to execute arbitrary code.
>
> Although in this case I care about sendmail, this is clearly an issue for
> any web application that depends on external binaries like pandoc, etc.
>
> In my use case, I am dealing with a CMS and I assume the poor user doesn't
> know anything about Haskell, init scripts, ssh, etc. So, allowing the
> location to be changed via the admin panel makes things easier because it
> can be adapted to any distribution. (Clearly, I would start by checking the
> most common locations, but provide an escape hatch for oddballs).
>
> But I don't like the idea of providing a potential attack vector.
>
> Any thoughts ?
>
> - jeremy
>
>
>
> _______________________________________________
> web-devel mailing list
> web-devel at haskell.org
> http://mail.haskell.org/cgi-bin/mailman/listinfo/web-devel
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.haskell.org/pipermail/web-devel/attachments/20160209/c15c7adb/attachment.html>

More information about the web-devel mailing list