I knew that I'm a bit off-topic.. but.. in your opinion what is the
best (or, more precilely, safer) solution to get the work done (apache
is running as nobody) ?
IMHO the safer solution is: DON'T. Don't even think about it.
In order to be able to write to an user's .procmailrc, your CGI
would need to be SUID root (or at least it should be called from a
SUID root wrapper, such as suexec).
Not necessarily. I'm working on something similar that authenticates
via Kerberos, obtains an AFS (or Coda) token, then writes into the
filesystem.
The other option that was initially considered was a client/server
model; the client would run on the Web server and authenticate the
user, then connect to a daemon on the mail server (tunneled over ssh
or authenticating with the client's Kerberos host key or a special
service key) which would write to a local directory (with procmail's
authenticate.c modified to return this directory as $HOME).
But without strong authentication schemes and some sort of secured
filesystem I agree -- it shouldn't be done. I only mention what we're
doing because it can all be done with commonly available software
(except for AFS, but Coda will work instead) and isn't very difficult
to set up.
Chris