As some of you know from my past messages, we use AFS here at NCSA.
I've written some patches to make procmail work within our environment,
but now I have some more that I'd like to work on. I'd like to get
input from both AFS users and procmail people to see if there's
anything that I'm missing or if there's anything that you'd like to
see added...
Under AFS, it's currently not possible to write files to a user's home
directory unless
a) you have a valid token
b) the acls in the directory give system/system:anyuser rlidwk
c) you create an IP acl for the server
d) you create a new account 'procmail' with acls rlidwk in
the directory to be written
The last option is the best, but poses security problems. What if
I create a recipe to cat the contents of somebody's mail archives
into my home directory?
My plan is to patch procmail to essentially chroot itself to the
user's home directory when writing files -- it will not allow
you to write to any other user's home directory.
This is easy to enforce when writing to a mailbox, but when invoking
a shell and sending the output of a process to a file it's a lot
harder. I currently have a patch in place to restrict binary usage
with procmail (like the sendmail smrsh), so recipes that invoke
a shell or unknown program will fail. This should control access
to directories if tight control is maintained on the list of allowed
executables.
Each user should have a ~/procmail directory and a ~/public directory.
~/procmail
system:anyuser l
user rlidwka
procmail rlidwk
~/.procmailrc should be a symlink to ~/procmail/.procmailrc. procmail will
only refer to ~/procmail as the effective root for all file input and output
(including INCLUDERC, etc.)
That's the current model, in braindump format.
Comments?
Chris