[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: auto signing messages Re: perl from Amad3us




-----BEGIN PGP SIGNED MESSAGE-----

Antonomasia says:
> excerpt from Amad3us' script:
> >  #!/usr/local/bin/perl
> >  $userID="cypherpunks\@algebra.com";
> >  $pgp="/usr/local/bin/pgp";
> >  $tmp="/tmp/.sig$$";
> >  undef($/);
> >  $post = <STDIN>;
> >  ($headers,@body) = split(/\n\n/,$post);$body = join("\n\n",@body);
> >  open(PIPE,"|$pgp -satf +batchmode +verbose=0 -u $userID > $tmp");
> 
> Real paranoiacs don't put temporary files in world-writeable directories.
> 
> If a hostile user symlinks your majordomo binary (or something)
> to /tmp/.sig999 you're going to overwrite it with garbage.

Sure.  But have you looked at pgp2 source code? (smirks).

(Hint, temporary files all over the place.)

Amad3us

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i

iQCVAwUBNG39iPKMuKFNFivhAQEYuwP/Q5nWBocRDlwVWCppBnI6g+kryko8YGJO
PnEQU+ZeTXFtnBlhpylzaz4XX2hx5cfVUtmU+EZ6GsKdu/5ALV7JWZfpRQ7LLY0n
kY0xiCDRn5binhXXuMXAJIu6y47KyXgrFQKQWZm7sgAF0p6PCbajMwPUiJEWKpWe
TGlzJNCp7OE=
=w4G3
-----END PGP SIGNATURE-----