Sendmail inside Jailed Apache/PHP Environment

Contributed by jose on 2003-03-23 from the inerior-design dept.

"Hi, I am setting up a website that is using PHP. The web site trys to send out e-mails by using the following PHP command:
$cmd = "/bin/echo "" . $msg . "" | /usr/sbin/sendmail -t -i";
exec($cmd);
This works if I ensure Apache is not running in the default jailed environment. I would like to have some mechanism for sending an email message from the jailed environment.
Has any one else done this? Any suggestions would be greatly appreciated."

While this isn't a very secure way at all to handle email submissions from HTTP POST operations, it does raise the question of what methods people have found to run PHP system with the chrooted Apache in 3.3. Anyone care to share their setup scripts and methods?

(Comments are closed)

Comments

By Anonymous Coward () on 2003-03-23 03:07

Uh, why not just copy echo and sendmail into the jail?

Thats a really really horrible way of doing it in the first place.
By paulc () on 2003-03-23 03:10

Assuming you have a local SMTP server you can try mini_sendmail from http://www.acme.com/software/mini_sendmail - you need to set the PHP sendmail path in php.ini.

Here is the description from the site:

"mini_sendmail reads its standard input up to an end-of-file and sends a copy of the message found there to all of the addresses listed. The message is sent by connecting to a local SMTP server. This means mini_sendmail can be used to send email from inside a chroot(2) area"
By Anonymous Coward () on 2003-03-23 03:44

BAWHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA
Comments
1. By Anonymous Coward () on 2003-03-23 03:49
  
  Ah, the concise elegance of cut and paste.
2. By AC () on 2003-03-23 17:43
  
  Thanks to your humorous comment, this page is totally screwed. What about limiting the number of characters in one line?
By Peter Hessler () spambox@theapt.org on 2003-03-23 05:03 http://www.theapt.org

Why don't you just send the message to 127.0.0.1:25? That will allow you to *not* use sendmail in your jailed envrionment. I'm sure there are programs that are sendmail syntax compatable that are designed for this purpose.
By Jane Goodall () on 2003-03-23 06:04 http://www.janegoodall.org/

If you have perl in the chrooted /var/www-tree: use NMS-sendmail:

NMS homepage (sourceforge)

download here
By knomevol () on 2003-03-24 00:15

why are you creating the building that exec command when you could use the mail function ?
Comments
1. By Benny Siegert () on 2003-03-23 13:42
  
  Because that function just calls /sbin/sendmail? :)
By Clint () schwack@neotrance.dyndns.org on 2003-03-23 16:54 mailto:schwack@neotrance.dyndns.org

Or just write your own php function like this.....

function send_email($to, $sender_email, $subject, $mailheaders, $msg)
{
$connection = fsockopen ("$MX_host", 25, &$errno, &$errstr, 1);
fputs($connection, "HELO domain.comn");
fputs($connection, "MAIL FROM: $sender_emailn");
fputs($connection, "RCPT TO: emailaddress@domain.comn");
fputs($connection, "DATAn");
fputs($connection, "Subject: $subjectn$mailheadersn$msgn.n");
fputs($connection,"QUITn");
fclose ($connection);
}

send_email($to, $sender_email, $subject, $mailheaders, $msg);
Comments
1. By Anonymous Coward () on 2003-03-23 18:36
  
  Unfortunately, that won't check for errors, and it won't handle single lines that contain only a dot--a malicious user would be able to use that script to send anonymous emails anywhere.
  Comments
  1. By clint () schwack@neotrance.dyndns.org on 2003-03-23 20:21 mailto:schwack@neotrance.dyndns.org
    
    Thats just an example. You can easily put in fgets() to provide error checking, have it log this email to a file, and do all sorts of input verification.
    
    In my forms for example, all the $var's are checked and "cleaned' before that function is called. It would take all but 20 minutes of coding to expand this example to something usable, which is still a lot quicker than trying to chroot sendmail, or get php's mail() to work.
By Josh () selerius at codefusion dot org on 2003-03-23 17:06 codefusion dot org

there is a php mail class available that seems to work fairly well. I have used it on several occasions, and plan on using it in the future.

http://phpmailer.sourceforge.net
By grange () on 2003-03-23 21:35

Pretty security bug in such usage of exec().
By drama () drama.4t.slakin.dot.net on 2003-03-24 16:32 www.slakin.net

Maybe check out the PHP documentation for Mail() syntax as well as other user examples.

Im not trying to say rtfm, but the php documentation is really helpful for the most part.

* * * * *
Matt
d-a7-slakin-d0t-net.
By Anonymous Coward () on 2003-03-25 02:42

Isn't this a lot worse than "not very secure"..?

If a person were able to get their own chosen text into $msg (perhaps by making it part of their name, or email address), aren't you letting them write their own shell command to be executed inside your chroot? Granted, maybe that limits the damage they can do, but it'd still suck if they got away with "cd /; rm -rf *"
By Raymond Morsman () raymond@openminds.nl on 2003-03-25 08:19 http://www.openminds.nl/chrootsendmail.tar.gz

Hi,

a friend of mine played with the sendmail config until he make work.

The result can be found at:

http://www.openminds.nl/chrootsendmail.tar.gz

Works perfectly, I used to run a script of my own for the last years, but this one is easier.

Raymond.
Comments
1. By Bard (62.97.242.6) base@voop.no on 2006-10-10 07:58
  
  > Hi,
  >
  >
  >
  > a friend of mine played with the sendmail config until he make work.
  >
  >
  >
  > The result can be found at:
  >
  >
  >
  > http://www.openminds.nl/chrootsendmail.tar.gz
  >
  >
  >
  > Works perfectly, I used to run a script of my own for the last years, but this one is easier.
  
  Too bad his site is down
By bolke () bolke@xs4all.nl on 2003-03-25 14:53 http://www.skoll.nl

Do not use the internal mail() function of PHP. It does not work with SMTP on BSD/*nix machines as strangely enough.

Grab something as SMTP class (see freshmeat) and use that. No need for copying etc, a lot nicer too.
Comments
1. By drama () dr4ma-at-slakin-d0t-net on 2003-03-25 15:12 www.slakin.net/?page=contact
  
  Really? That is odd, I have mail() working on OpenBSD 3.2, FreeBSD 4.4, 4.6, 4.7 and linux.
  Not to flame you, but don't post something if you don't know your facts.
  
  --Matt
  Comments
  1. By bolke () bolke@xs4all.nl on 2003-03-29 00:22 mailto:bolke@xs4all.nl
    
    I actually tested it, and it was confirmed when searching for it on the Net.
    
    But I would really like to be convinced otherwise.

Latest Articles

Tue, Apr 23
- 05:25 pfctl(8) and systat(8) to display fragment reassembly statistics (0)
Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (11)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]