Two problems with stderr output

Question

Two problems with stderr output

CasperVector opened this issue 9 years ago · 3 comments

This line in crontab

*/1 * * * * printf 'To: someuser\nSubject: spam\n' > /dev/stderr

results in the following behaviour:

For root, the spam is sent, verbatim, to someuser
(and of course, if the printf()-ed string is changed to something
that does not fit the format of an email, the MTA will probably refuse to send it).
For non-root user, an error message will occur saying
/bin/sh: /dev/stderr: Permission denied.

While one expects that:

To the user that the crontab belongs to (or whoever it finally redirects to via mail aliases),
a message is sent back, with the printf()-ed string as the mail body.

Answer 1 · 2015-08-27T13:37:38.000Z

Also it seems obvious that the ability to feed arbitrary text to MTA is a security and administrative risk, even if only root has the permission to do that.

Answer 2 · 2015-11-28T16:58:23.000Z

I don't see why there is any fresh risk exposure here. The root user can already feed arbitrary text to the MTA, even via their crontab if they like. So no new ability is being granted. I'll have to think about the other complaint. I believe this behavior comes from the original design of the program. Perhaps it's not the best solution, but I'm not yet on board with the alternative that you describe or another alternative.

Answer 3 · 2015-11-28T17:10:49.000Z

I also think that the security risk does not seem serious; nevertheless, current behaviour at least appears counter-intuitive to me...