procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Question.

1997-02-27 11:38:07
from [Philip Guenther] [Permanent Link] 
Stefan Monnier 
<monnier+/news(_at_)TEQUILA(_dot_)SYSTEMSZ(_dot_)CS(_dot_)YALE(_dot_)EDU> 
writes:

Philip Guenther <guenther(_at_)gac(_dot_)edu> writes:

"host"); the 'S' flags makes sendmail run procmail as root instead of
as daemon or the delivering user


Why is this desirable ?


Because it probably doesn't matter. ;-)

I'm cc'ing this response to the list, in case others wonder about this.

Let's look at the options:


                               |            sendmail runs as root
procmail      sendmail isn't   |        Mlocal has S flag    | No S flag
  is          running as root  | no U directive | U=non-root |
           +-------------------+----------------+------------+-----------+
setuid-root|       works       |      works     |   works    |   works   |
           |        **         |  uid is root** |    **      |    ***    |
-----------+-------------------+----------------+------------+-----------+
not setuid |   doesn't work    |      works     |   doesn't  |  doesn't  |
           |                   |  uid is root** |    work    |   work    |
           +-------------------+----------------+------------+-----------+

** The uid or gid involved should be in procail's TRUSTED_IDS list to
   avoid bogus "From " headers.

*** Like '**', but the uid/gid involved is now either the value of the
    U= directive, or the value of the DefaultUser option.  Furthermore,
    if you have multiple users with the same uid, then they'll get bogus
    "From " headers on their outgoing mail.


When it says "doesn't work" in the table, it means "mail won't be
delivered!" Therefore if procmail isn't setuid root, then the S flag is
your only hope for getting things to work.  I suspect this is the
reason behind the recommendation in the documentation.

If procmail is setuid-root then your options are considerably greater.
The final caveat on the *** comment above is not particularly troubling
(why do/would you have multiple users with the same uid?), so you just
have to make sure that sendmail invokes procmail with either a uid or a
gid on the TRUSTED_IDS list, or with the uid of the envelope sender.
Note that it's *impossible* to have sendmail invoke procmail as the
_receiving_ user, so don't try suggesting that.

Anyway, as long as you meet the TRUSTED_IDS constraint, you can do just
about whatever you want.  Which is the most secure?  If you're running
sendmail as root, and procmail is setuid root, then it really doesn't
matter.  The next security hole in sendmail isn't going to be in its
execing of mailers but in its own processing of the message.  Choose
something that works and forget about it.

Philip Guenther
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: vocab expansion, William J. Evans
Next by Date:  Re: Bozo Filter, Philip Guenther
Previous by Thread:  Re: Question., Philip Guenther
Next by Thread:  problems with procmail 3.10 under sendmail v8.8.5, larry
Indexes:  [Date] [Thread] [Top] [All Lists]