W. Wesley Groleau wrote,
| Send the body to a script at the destination.
|
| The script scans the body for two begin and end flag strings,
| then uses PGP or something similar to decrypt the characters
| between the flag strings.
| Finally, it executes the decrypted string.
|
| For any person to execute any command, that person must:
| 1. Know the encryption key
| 2. Make his mail match your recipe conditions
| (i.e. forgery, if the conditions are set up right)
|
| For additional security, you can do tricks within the script
| to reject certain commands (or any command not on a particular
| list). Or you can only accept certain "pseudo-commands" in
| the decrypted string, and use those as options in a case (switch)
| construct containing the real commands.
Without a match of the sender's DNA in a set of samples from approved
correspondents, I would not run a command extracted from email. In fact, I'd
send back a "you filthy spammer, I'll have you killed" autoresponse to anyone
who writes to me but doesn't check out, even if it's a post to a mailing list
I had joined.
[For those of you who have just joined the list and don't know me yet, the
preceding is sarcasm.]
Seriously, I point to the file retrieval example from the procmailex(5) man
page: note how it makes sure that a requested file name is safe (no embedded
spaces or shell metacharacters, no "/." nor leading periods [so as not to
allow fetching dotfiles, paths through dot-named directories, nor upward
traversal out of the tree with "/.." or a leading ".."]) before using it in
a command. To restrict the available files to those in a specific directory
rather than those in or under a specific directory, one can forbid all
slashes.