diff options
| author | Eric S. Raymond <esr@thyrsus.com> | 1998-06-12 07:06:37 +0000 |
|---|---|---|
| committer | Eric S. Raymond <esr@thyrsus.com> | 1998-06-12 07:06:37 +0000 |
| commit | 130a5b07197819cdc447900f9891988c8f01e9f5 (patch) | |
| tree | d401ea7ba7009207e486ff3bd6f4e283a07103c3 /fetchmail.man | |
| parent | 9a943e1bf3ded13beb5582b48ef99709a4e61179 (diff) | |
| download | fetchmail-130a5b07197819cdc447900f9891988c8f01e9f5.tar.gz fetchmail-130a5b07197819cdc447900f9891988c8f01e9f5.tar.bz2 fetchmail-130a5b07197819cdc447900f9891988c8f01e9f5.zip | |
Ready to ship.
svn path=/trunk/; revision=1935
Diffstat (limited to 'fetchmail.man')
| -rw-r--r-- | fetchmail.man | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/fetchmail.man b/fetchmail.man index bf75889f..11c01026 100644 --- a/fetchmail.man +++ b/fetchmail.man @@ -1588,10 +1588,10 @@ link can be tapped. .PP Use of the %F or %T escapes in an mda option could open a security hole, because they pass text manipulable by an attacker to a shell -command. The hole is reduced by the fact that fetchmail temporarily -discards any suid privileges it may have while running the MDA. To -avoid potential problems, (1) enclose the %F and %T escapes in single -quotes within the option, and (2) never use an mda command containing +command. Potential shell characters are replaced by `_' before +execution. The hole is further reduced by the fact that fetchmail +temporarily discards any suid privileges it may have while running the +MDA. For maximum safety, however, don't use an mda command containing %F or %T when fetchmail is run from the root account itself. .PP Send comments, bug reports, gripes, and the like to Eric S. Raymond |