[PHP] sendmail smrsh symlinks not working against php scripts
Hello. I am trying to forward the e-mails received to one address towards a php script, under CentOS 4 (RHEL). I am trying all I can but nothing does. I have edited my /etc/aliases file and added this line. ecard-bounce: "|/usr/bin/php /etc/smrsh/ecardbounce.php" Then, of course I do a 'newaliases'. In my /etc/smrsh I have placed the symbolic link defined above, which has been created this way: ln -s /home/my/scripts/ecardbounce.php /etc/smrsh/ecardbounce.php When using this configuration, I get the following error back by email: - The following addresses had permanent fatal errors - "|/usr/bin/php /etc/smrsh/ecardbounce.php" (reason: 255) (expanded from: <[EMAIL PROTECTED]>) - Transcript of session follows - Status: 404 Content-type: text/html X-Powered-By: PHP/4.3.9 No input file specified. 554 5.3.0 unknown mailer error 255 However, if I put a hardlink instead of the symlink, all works fine! The permissions of the symlink and the file linekd are all 777. Has anyone already had this problem before, or would anyone have an idea of the cause? Thanks, Daniel
Re: [PHP] sendmail smrsh symlinks not working against php scripts
However, if I put a hardlink instead of the symlink, all works fine! The permissions of the symlink and the file linekd are all 777. Has anyone already had this problem before, or would anyone have an idea of the cause? smrsh itself may disallow symlinks. Wouldn't surprise me. Why not just use #!/usr/bin/php -q at the top of your PHP script? I cannot do this, because the script itself is not executed. The e-mail I sent from within this script does not arrive when it is failing. But it works well with a hardlink. I didn't expect smrsh to prevent symlinks. When I contact sendmail people, they tell me it is a PHP problem. Would you agree that this is not the case, and merely to have to do with smrsh? Thanks, Daniel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sendmail smrsh symlinks not working against php scripts
smrsh itself may disallow symlinks. Wouldn't surprise me.
Why not just use #!/usr/bin/php -q at the top of your PHP script?
Something else to my previous answer.
Here is the answer of the sendmail guys. Maybe they are still right? Would
PHP have a problem to handle symlinked input files? I have the security mode
disabled in the php.ini file.
Thanks,
Daniel
This is a poor place to find an answer, because the one thing that
stands out is that this is a problem with php, not Sendmail, and this is
a Sendmail newsgroup not a php newsgroup. Your dangerously outdated
version of php is running and emitting an error ("No input file
specified.") that doesn't make sense outside of php, but probably
indicates special handling done by php when given a symlink instead of a
regular file.
Looking at the output there, I'd *guess* that you have php set up wrong
for this sort of use. I'm not a php expert, so I won't try to guess at a
fix.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sendmail smrsh symlinks not working against php scripts
However, if I put a hardlink instead of the symlink, all works fine! The permissions of the symlink and the file linekd are all 777. Has anyone already had this problem before, or would anyone have an idea of the cause? smrsh itself may disallow symlinks. Wouldn't surprise me. Why not just use #!/usr/bin/php -q at the top of your PHP script? I cannot do this, because the script itself is not executed. What exactly do you want to happen then? I would simply like the script to be executed, when passed as a symlink as argument, instead of a hardlink. The problem is that when I specify the script to be executed (ecardbounce.php) as being a symlink, in the /etc/aliases like this: ecard-bounce: "|/usr/bin/php /etc/smrsh/ecardbounce.php", then the script isn't executed. However, when I replace the symlink by a hardlink to the same located script, then it works fine with no problems. This is why there might be a problem with the php interpreter refusing to execute a file which is a symlink, and requires the input file to be a real file or a hardlink. I thought that we would be able to pass a symlink, but maybe this is not allowed by php? Also, I am using the version 4.3.9-3.22.4 on my server (default centos 4.4 version) Thanks, Daniel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sendmail smrsh symlinks not working against php scripts
On Fri, April 20, 2007 10:27 am, dan1 wrote: I would simply like the script to be executed, when passed as a symlink as argument, instead of a hardlink. The problem is that when I specify the script to be executed (ecardbounce.php) as being a symlink, in the /etc/aliases like this: ecard-bounce: "|/usr/bin/php /etc/smrsh/ecardbounce.php", then the script isn't executed. However, when I replace the symlink by a hardlink to the same located script, then it works fine with no problems. I don't think you should be allowing the php binary to be run like that... It's just too easy for some hacker email to run arbitrary PHP code on your box this way, as I understand it... At least that's my recollection of how you do NOT want to set up: sendmail | smrsh | php The "Right Way" to make sure that only the script you WANT to run is run is to put the actual PHP script in the /etc/smrsh directory, use #! at the top of it, and sendmail pipe the data to the executable .php script. I don't understand what you mean. A lot of people are using the smrsh/sendmail combination to run scripts on their site. more often they use cgi instead of PHP, and now it seems that you are saying that PHP is not a good thing to use with sendmail/smrsh. You are saying that it is not safe to use smrsh/php, yet smrsh has been specifically designed to use sendmail/scripts in a secure way (it stands for restricted shell). How do you explain that the 'sympa' production level bulk email program does use symlinks with sendmail and smrsh the exact same way I do, wouldn't they know that this would be a potential security breach? Also, I did follow exactly the recommendation of smrsh on how to setup symlinks with sendmail and interpreters: http://www.faqs.org/docs/securing/chap22sec182.html I think that I do things the right way, just as many other who use phpp scrits with sendmail to handle e-mail bounces do it, because putting the real file in /etc/smrsh or putting a link to the file in the same diretory doesn't present any security difference, as the script will be exectued exactly the same way, and if a hacker can have access to the symlink, then he will also be able to have access to the real file. Else, I have the safe mode set to off, so the php.ini configuration should not be the problem. Anyway, thanks for your answers Richard, because it helped me to develop my understanding about this problem. I will try to put it in the bug database. Thanks again for your support. Regards, Daniel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
