-----BEGIN PGP SIGNED MESSAGE----- Antonomasia says:

excerpt from Amad3us' script:

...

#!/usr/local/bin/perl $userID="cypherpunks\@algebra.com"; $pgp="/usr/local/bin/pgp"; $tmp="/tmp/.sig$$"; undef($/); $post = <STDIN>; ($headers,@body) = split(/\n\n/,$post);$body = join("\n\n",@body); open(PIPE,"|$pgp -satf +batchmode +verbose=0 -u $userID > $tmp");

Real paranoiacs don't put temporary files in world-writeable directories.

If a hostile user symlinks your majordomo binary (or something) to /tmp/.sig999 you're going to overwrite it with garbage.

Sure. But have you looked at pgp2 source code? (smirks). (Hint, temporary files all over the place.) Amad3us -----BEGIN PGP SIGNATURE----- Version: 2.6.3i iQCVAwUBNG39iPKMuKFNFivhAQEYuwP/Q5nWBocRDlwVWCppBnI6g+kryko8YGJO PnEQU+ZeTXFtnBlhpylzaz4XX2hx5cfVUtmU+EZ6GsKdu/5ALV7JWZfpRQ7LLY0n kY0xiCDRn5binhXXuMXAJIu6y47KyXgrFQKQWZm7sgAF0p6PCbajMwPUiJEWKpWe TGlzJNCp7OE= =w4G3 -----END PGP SIGNATURE-----