"Lance R. Bailey" <zaphod(_at_)zoology(_dot_)ubc(_dot_)ca> writes:
a number of years ago i replaced the Mprog in our sendmail config to
restrict the programs that could be run via a .forward file to a few
that i prescribed (vacation, etc...)
this was done to plug a security hole that later eric allman plugged
with a similar method.
Was it done to cut down the liability of certain kinds of security
holes in sendmail, the prevent users from running arbitrary programs on
the mailer server, or for some other reason? Hmm, to tell the truth,
you sound like you've already thought about this distinction.
from what i cat gather, procmail will allow a person to filter their
mail through an arbitary program. this reopens things i'd rather let
stay shut.
From this it sounds like it isn't just to protect you from sendmail
security holes.
i would like to stop procmail from allowing users to push their mail
through any program they desire.
Check out the RESTRICT_EXEC define in config.h. This was added in
version 3.11pre5 or so, so you'll want to just get pre7 (pre5 and pre6
had "doh!" bugs).
Philip Guenther