Hello,
I am building a prototype of an ISP mail server. We want to use
procmail to allow endusers to do their own mail filtering and spam
control. Also, we're using the Maildir format, and Exim (our MTA) doesn't
support Maildir, so that's another reason to use procmail for local
delivery.
We plan on letting each user edit their own .procmailrc through a
nifty Web-based GUI, similar to "procbuilder"
(http://www.uvm.edu/opensource/?Page=procbuilder.html). We also want to
let advanced users edit their .procmailrc directly, so they can do funky
stuff not necessarily possible through the simplified Web-GUI.
But we do NOT want to offer shell access. Our target audience
does not want it or need shell access, and allowing it makes the system
vulnerable to local security exploits, not just remote security exploits.
See where this is going? Since procmail allows users to execute
arbitrary programs, allowing endusers to edit their own .procmailrc is
basically the same as giving them full shell access. They can upload
arbitrary programs or daemons and have those executed by simply emailing
themselves.
So my question is: is there any way to disable the execution of
child processes in procmail? I did not see anything in the FAQ or man
page.
Or is that even the best tactic here? Any suggestions on how to
both (a) allow custom .procmailrc files, and (b) disallow execution of
arbitrary programs, is appreciated. Note that users can upload files to
the server.
Thank You,
Derek Simkowiak
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail