In Dallman Ross' previous letter:
grep Mprog /etc/sendmail.cf
Mprog, P=/usr/local/etc/smrsh, F=lsDFM, S=10, R=20, A=sh -c $u
Aus Sicherheitsgruenden ist es nicht moeglich, die Beschraenkungen der
smrsh (Sendmail restricted shell, die nach Empfehlung des CERT die
Vulnerabilitites von sendmail vermeiden soll), zu erweitern.
I suppose I will have to try and go with David Tamkin's kind suggestion for
filter,
always execute /u/iued/hh0/.dman/bin/procmail
This should work already.
Meanwhile, if anyone would like to compose a retort to the above reply and
send it to me, I'll try to work further at persuading t.p.t.b. to add
procmail to the list.
Well, several things actually:
1. They seem to be running sendmail 5.64, which has got a lot more security
holes than just the hole smrsh covers. (Maybe this is not such a popular
point to bring up in this case :-). They should be upgrading to
sendmail 8.7.1 to close them all, and then they can get rid of smrsh
too.
2. Ask your sysadmin *why* filter is in the approved list and procmail isn't?
Because filter is generally known to have more bugs (and perhaps security
holes) than procmail.
--
Sincerely,
srb(_at_)cuci(_dot_)nl
Stephen R. van den Berg (AKA BuGless).
Auto repair rates: basic labor $40/hour; if you wait, $60; if you watch, $80;
if you ask questions, $100; if you help, $120; if you laugh, $140.