Newsgroups: comp.mail.sendmail
Path: utzoo!utgpu!trigraph!john
From: john@trigraph.uucp (John Chew)
Subject: Re: uudecode alias
Message-ID: <1990May25.160519.18030@trigraph.uucp>
Sender: "John J. Chew" <john@trigraph.UUCP>
Reply-To: "John J. Chew" <poslfit@gpu.UTCS.UToronto.CA>
Organization: Trigraph Inc., Toronto, Canada
References: <7591@ur-cc.UUCP>
Date: Fri, 25 May 90 16:05:19 GMT

In <7591@ur-cc.UUCP> Mark Sirota <msir@cc.rochester.edu> writes:
>Most sendmails seem to come with the following line in the aliases database:
>	decode: "|/usr/bin/uudecode"
>
>Why?  What purpose does this serve?  It won't work on our system anyway
>since we don't have uudecode in /usr/bin, so either nobody's complaining or
>nobody uses it.  My concern is that it needs to be there for some program or
>something.
>
>So what's the net.wisdom on this one?  Kill it?  It seems like it might be
>a bit of a security hole, too, but I'd rather not go into any more detail
>than that here.

It's just there for the purpose documented in uuencode(1): so that people
can send binary files to your system using "uuencode source dest | mail
site!...!site!decode".  If you're worried about security, two easy things
to do are to replace the alias with a pipe to a script which sed's off any
pathnames, and to rename the alias to something other than it's standard
name.  Or even better, just leave it disabled for maximum security.

John
-- 
john j. chew, iii   		  phone: +1 416 425 3818     AppleLink: CDA0329
trigraph, inc., toronto, canada   {uunet!utai!utcsri,utgpu,utzoo}!trigraph!john
dept. of math., u. of toronto     poslfit@{utorgpu.bitnet,gpu.utcs.utoronto.ca}