Antonio Bemfica <antonio(_at_)axolotl(_dot_)ic(_dot_)gc(_dot_)ca> writes:
I am getting the following errors
Aug 31 20:47:36 ngrdev procmail[17456]: Denying special privileges
for "/etc/procmailrcs/.procmailrc.virtual"
Aug 31 20:47:36 ngrdev procmail[17456]: Error while writing to
"/home/virtual-mail-users/.from"
when sending messages to the following alias (all one line, of course):
a_test: "| procmail -m VIRTUALUSER=a_test
RECEIPIENTS=antonio(_at_)axolotl(_dot_)ic(_dot_)gc(_dot_)ca
/etc/procmailrcs/.procmailrc.virtual"
I know procmail is picky when it comes to permissions, but I really can't
seem to figure this. Below are the permissions for all files in question
(I think). Could someone solve the riddle? Thanks in advance.
Well, let's check the DIAGNOSTICS section of the procmail(1) manpage.
There we find:
Denying special privileges for "x"
Procmail will not take on the iden-
tity that comes with the rcfile be-
cause a security violation was
found (e.g. -p or variable assign-
ments on the command line) or proc-
mail had insufficient privileges to
do so.
You need to pass the virtualuser and recipients to the rcfile as arguments
after the rcfile on the command line instead of as variable assignments.
For example, you can specify that the first additional argument be the
virtualuser and the second the recipient. The alias would then be:
a_test: "| procmail -m /etc/procmailrcs/.procmailrc.virtual a_test \
antonio(_at_)axolotl(_dot_)ic(_dot_)gc(_dot_)ca"
And then the rcfile would start with something like:
# $NL is a newline. This is useful for assignments to LOG
NL="
"
# Grab the arguments and put them into variables
USER = $1
RECIPIENT = $2
# Double check for evil input. Only allow letters, numbers, underbar,
# period and hyphen in USER and those and at-sign in RECIPIENT
:0
* USER ?? ^^[-a-z0-9_.]+^^
* RECIPIENT ?? ^^[-a-z0-9_(_dot_)(_at_)]+^^
{ } # everything is fine
# ...else they were trying something nasty
:0 E
{
# What you do here is up to you. I would probably log a message
# somewhere:
LOGFILE = /path/to/somewhere/security
LOG = "Illegal argument(s):${NL} USER = \"$USER\"${NL}
RECIPIENT=\"$RECIPIENT\"${NL}"
# Set an exit code. 77 = EX_NOPERM
EXITCODE = 77
# Then exit
HOST
}
(The restriction against variable assignments is because they are too
dangerous. You couldn't trust any of the variables that have default
values. Do you want to have to set SHELL, SHELLMETAS, SHELLFLAGS, etc
at the beginning of every rcfile to be used with procmail -m? Are you
sure you'll get it right? Better to disallow them and let the rcfile
do its own argument processing and checking.)
Philip Guenther