Eric Daniel wrote:
For security purposes, I would like to prevent users from executing arbitrary
commands on my mail hub by using smrsh. I disabled the logins on that
machine, and a .forward with a pipe woule be a way to turn around that
restriction.
At the same time, it would be nice to allow procmail, but then, of course,
the pipe action kind of defeats the purpose of smrsh.
So my questions are:
1) Assuming the pipe action is disabled, can I be sure that procmail does not
provide any other way of executing commands?
2) Has anyone else attempted to disable it (the source of procmail looks a
little, hemm, obfuscated, and I'm not sure what I would need to change)
3) Same questions about formail
Thanks,
--
Eric Daniel -- System administrator
edaniel(_at_)ee(_dot_)tamu(_dot_)edu
Dept. of Electrical Engineering, Texas A&M University fax: (409) 845
6259
finger edaniel(_at_)ee(_dot_)tamu(_dot_)edu for PGP public key
phone:(409) 845 7530
I'm no procmail expert, but as of this weekend, I have enabled smrsh on
our primary mailhub, running under sendmail-8.8.5, with procmail allowed
under smrsh. I haven't encountered any problems yet at the individual
user level.
I've studied the documentation that came with procmail, and felt that
procmail was so useful that I didn't want to be a security fascist and
prevent users from using procmail. At the individual user level, I feel
that procmail is pretty secure, especially in the way it handles
setuid. I'm so impressed by procmail that I may use it in place of
/bin/mail as the local delivery agent on my mail server. I'd also like
to use procmail as a global mail filter as part of my sendmail
configuration, since all the check_compat()-based anti-spam measures
I've implemented only deal with envelopes, not messages headers or
bodies. Spammers are getting nastier and sneakier all the time, and
check_compat() can't stop spam bounced off an innocent relays that I'm
not already blocking; the ability to filter based on "Received-from"
lines and headers, and even message body content, is the only way to
stop them *cold*, in my opinion.
After looking things over, the only point of concern that I have found
security-wise with procmail is with /etc/procmailrc. From the
documentation, it appears that anything run through the global
/etc/procmailrc runs as root, at least briefly (if procmail is run
setuid root, as recommended). I'd hate to have to constantly check that
somebody hasn't created a rogue /etc/procmailrc file that defeats the
smrsh restrictions I have put in place.
Anybody care to enlighten me on their experiences using procmail as a
global mail filter from their Berkeley V8 sendmail configuration? I'd
be willing to put up with alot of aggrivation to frustrate spammers and
hackers. :)
--
Tim (The Timster) Wynn
"Our doubts are traitors,
And make us lose the good we oft might win
By fearing to attempt."
Shakespeare, Measure For Measure, Act i. Sc.4