Timothy Luoma asked,
| I know I've seen references to how to how procmail respond to
| commands, but that these commands should be limited (ie no
| desstructive commands, rm, etc)
|
| Does anyone have a pointer to a good way to do this?
If the commands are all executables (as contrasted to shell built-ins), and
if you can work with a list of what commands are permitted (as contrasted
to a list of what commands are forbidden), here's a suggestion.
Set up a directory of symlinks to the real locations of the executables.
Call it, say, $HOME/safelinks/. If ls is OK to use, make a symlink named
$HOME/safelinks/ls that points to the real ls executable. If rm is not
OK to use, *don't* symlink the real rm executable into $HOME/safelinks/.
Then
OLDPATH=$PATH
PATH=$HOME/safelinks
[recipes that must be guarded]
PATH=$OLDPATH
That way during those recipes in the middle procmail (and any shell it
invokes; be sure that $SHELL is defined by a full path) can run only the
programs that have links in $HOME/safelinks/. Any attempts to run any
other executables will fail.