auto signing messages Re: perl from Amad3us

Antonomasia ant at notatla.demon.co.uk
Sun Nov 2 08:11:26 PST 1997





>  #!/usr/local/bin/perl
>  $userID="cypherpunks\@algebra.com";
>  $pgp="/usr/local/bin/pgp";
>  $tmp="/tmp/.sig$$";
>  undef($/);
>  $post = <STDIN>;
>  ($headers, at body) = split(/\n\n/,$post);$body = join("\n\n", at body);
>  open(PIPE,"|$pgp -satf +batchmode +verbose=0 -u $userID > $tmp");


Real paranoiacs don't put temporary files in world-writeable directories.

If a hostile user symlinks your majordomo binary (or something)
to /tmp/.sig999 you're going to overwrite it with garbage.

A single purpose directory /tmp/mdsig writeable only by the
list account 'majordom' would be my preference.  (Correct owner
and mode for this directory and parents could be checked by the perl
script before it decides to write there.)


--
##############################################################
# Antonomasia   ant at notatla.demon.co.uk                      #
# See http://www.notatla.demon.co.uk/                        #
##############################################################







More information about the cypherpunks-legacy mailing list