o when invoking the mailer as root use a hard-coded environment that

  doesn't include any info from the user's environment.  Basically
  paranoia.

o Add support for the NO_ROOT_MAILER compile-time option and run the
  mailer as the user and not root if NO_ROOT_MAILER is defined.

diff --git a/logging.c b/logging.c
index e0456379b1f44070b7b5608b77a194f9e51fbd1f..56f15b6a9944ac9e339378c7b85772f2039ea32a 100644 (file)
--- a/logging.c
+++ b/logging.c
@@ -439,6 +439,15 @@ send_mail(line)
     char *p;
     int pfd[2], pid, status;
     sigset_t set, oset;
+#ifndef NO_ROOT_MAILER
+    static char *root_envp[] = {
+       "HOME=/",
+       "PATH=/usr/bin:/bin",
+       "LOGNAME=root",
+       "USER=root",
+       NULL
+    };
+#endif
 
     /* Just return if mailer is disabled. */
     if (!def_str(I_MAILERPATH) || !def_str(I_MAILTO))
@@ -493,9 +502,17 @@ send_mail(line)
                /* Close password file so we don't leak the fd. */
                endpwent();
 
-               /* Run mailer as root so user cannot kill it. */
+               /*
+                * Depending on the config, either run the mailer as root
+                * (so user cannot kill it) or as the user (for the paranoid).
+                */
+#ifndef NO_ROOT_MAILER
                set_perms(PERM_FULL_ROOT, 0);
+               execve(mpath, argv, root_envp);
+#else
+               set_perms(PERM_FULL_USER, 0);
                execv(mpath, argv);
+#endif /* NO_ROOT_MAILER */
                _exit(127);
            }
            break;