Quoting Boudewijn W. Ch. Visser
(visser(_at_)galaxy(_dot_)ph(_dot_)tn(_dot_)tudelft(_dot_)nl):
We would like to offer the use of procmail to the users, but
not have the problem of procmail being used to exploit bugs
that are only accessible from a shell.
(Yes, I know, bugs should be fixed anyway, and we do that, but
the urgency is much less when not every user can trivially exploit them)
You might want to try to make procmail use smrsh (sendmail restricted
shell, or another shell that only executes approved commands) as its
shell. That would involve setting SHELL=/usr/sbin/smrsh, but I don't
know offhand how to keep users from resetting the shell to something
else. That might be what you have to hack.
--
Michael Stone, Sysadmin, ITRI PGP: key 1024/76556F95 from mit keyserver,
mstone(_at_)itri(_dot_)loyola(_dot_)edu finger, or email with
"Subject: get pgp key"