[fao_]

My main question is why isn't /bin/sh being executed with -r -- restricted mode? It seems weird that a safety-critical piece of code would just call out to /bin/sh without doing that, especially on openBSD?

[pabs3]

My question is why are they using /bin/sh at all? system() and friends that execute /bin/sh are almost always a source of vulnerabilities.

https://bonedaddy.net/pabs3/log/2014/02/17/pid-preservation-...

[loeg]

This is a good question. Ideally (given the existing model) they would template an execv argv array, rather than a string to pass to sh(1), and execv() the MDA directly. It does not seem like the full generality of a shell is needed for pointing an smtpd at an MDA.

Of course, the reason they're invoking an external MDA is because this is classically how smptds and local mail delivery is separated. Is there a great reason for that? Not really. The MDA could be embedded in the smtpd.

[jwilk]

Restricted mode provides hardly any protection against untrusted code.

Also, it's a bashism. It's not implemented by the OpenBSD's /bin/sh.

[fao_]

openBSD uses mksh which includes a restricted mode (http://www.mirbsd.org/htman/i386/man1/mksh.htm)

[jwilk]

Oh? https://man.openbsd.org/sh.1 doesn't mention -r.

[adamrt]

OpenBSD started out as pdksh I believe, not mksh. But it still has a restricted mode.

https://man.openbsd.org/ksh.1#AUTHORS