"Tony Zamora" <zamora(_at_)VNET(_dot_)IBM(_dot_)COM> writes:
Philip Guenther wrote,
BTW: why do you want to do this?
It's to avoid a security issue. We deliver mail to mailboxes in
users' home directories (stored in AFS). In order to be able to write
to the mailbox, we have to run procmail with an AFS token for a
principal called "postman." Postman has access rights to the users'
mail directories. We want to avoid users being able to run arbitrary
programs with a postman token. By running pagsh, they can still use
whatever programs they want to process their mail (as long as it works
as a filter), and we don't have to worry about them messing with
someone else's mailbox.
Hmm, I see other problems with this. What's to stop someone from just
saying:
:0 fbi
| echo "Something to drop in Bob's mail directory"
:0
/home/users/bob/mail/whatever
How does having the "postman" AFS token affect the kernel's permission
checks? If you have that token, do have unlimited access to all the
user's mail directories, regardless of your UID, or do the normal
checks still apply (e.g., must by root or the user to write a 600
file). If the latter, then things should be fine, but if the former,
then you'll need to hack procmail *much* more in order to make it
secure, moving into it the checks that it currently expects the kernel
to be making.
You should probably also talk with Stephen (the author) and see what
his take on this is.
Philip Guenther