I am working on a project where I would like to allow certain persons to modify certain entries of Sendmail's virtusertable via a web interface. I originally thought this wouldn't be a problem until I read the following:
The second answer in this post claims that the right hand side of an entry in the virtusertable database could be a file. If this is true, I have to be extremely cautious, because (for example) if it works with a file, it probably works with a pipe as well, and we all know what could happen then.
Although having researched for several hours now, I didn't find one single example of a virtusertable where the RHS is a file, and no other hint regarding this feature or how to use it. So my questions are:
1) Is it true that that the RHS of a virtusertable entry can be a file?
2) If yes, how does Sendmail distinguish if the RHS of an entry is a local user, a full email address or a file (obviously, I can have files named root or [email protected] somewhere in my file system)?
As a side note, I am aware that this post eventually could be moved to security.stackexchange.com, but I've decided to leave it here since the two questions above might be interesting to administrators even when not being in my situation (i.e. when the virtusertable can be changed only by themselves (and not via web interface as well)).
Update (2016-08-21)
Supported by the comments below, I have written an email to the FreeBSD documentation team. I hope they will get back to me soon. I'll add an update when this happens.
0 Answers