Description of Problem: The following great stuff shows in root mail: To: root From: Disk Usage Monitor <root> Subject: Low disk space warning Status: RO Content-Length: 107 Lines: 3 Disk usage for localhost.localdomain: /dev/fd0 (/mnt/floppy) is 98% full -- 1.4M of 1.4M used, 29k remain One can only say to that "Duh! No shit!". Similar reaction would be if any other removable media triggered something of that sort. Actually I am only assuming that this mysterious "Disk Usage Monitor" has something to do with fam. The fact the a responsible program is not clearly identified, thus making it hard to shut up this bogosity, is another bug; maybe even more serious.
Apologies. I found that this bogosity really comes from 'diskcheck' and not from 'fam'. But when I found that this program reads its config file with 'exec(line)' then my lower jaw truly fell to the floor. So every sudo'er with a write access to this config file may execute absolutely anything on a system? Great stuff!!! How many other surprises of that kind?
hmm, one can execute many programs, if /etc is belonging to him... will include floppies to omit as well :)
I do not think that you understand security implications. Some "junior administrator" may have a write access to a configuration file (ownership and permits do not have be like in times of an installation) without owning /etc. That kind of "pseudo-parsing" with 'exec' is a VERY BAD IDEA in any language. A program is running from cron and you are finding yourself executing with root priviledges a code you never intended to. Oops! Murphy Law also assures that somebody will make a stupid typo in a config file and will execute an unitended code which will affect the rest of a program. I do not have harmful examples right now but life will provide something like that one day. :-) Also puzzles like "Disk Usage Monitor" should not pretend to be program identifiers in mail. At minimum this should be "Disk Usage Monitor (diskcheck)". I realize now that it is possible to fix that in a config file but I should not have a head scratcher about what was sending that in the first place.
> I do not think that you understand security implications. Try me ... > Some "junior administrator" may have a write access to a configuration file > (ownership and permits do not have be like in times of an installation) > without owning /etc. > That kind of "pseudo-parsing" with 'exec' is a VERY BAD IDEA in any > language. A program is running from cron and you are finding yourself > executing with root priviledges a code you never intended to. Oops! Agreed ... (note: I would never do that :) > Murphy Law also assures that somebody will make a stupid typo in a config > file and will execute an unitended code which will affect the rest of a > program. I do not have harmful examples right now but life will provide > something like that one day. :-) I hate that "Murphy"! > Also puzzles like "Disk Usage Monitor" should not pretend to be program > identifiers in mail. At minimum this should be "Disk Usage Monitor > (diskcheck)". > I realize now that it is possible to fix that in a config file but I should > not have a head scratcher about what was sending that in the first place. Agreed.
fixed in diskcheck-1.2-1