procmail
[Top] [All Lists]

Re: Executing a program as a recipient from ~/.procmailrc

2003-02-08 15:19:24
On 02/08/03 08:39 AM, Professional Software Engineering sat at the `puter and 
typed:
At 08:08 2003-02-08 -0500, Louis LeBlanc did say:
Unfortunately, procmail is running as root.

procmail should not be running as root by the time it reaches their
~/.procmailrc.  If it is, you have something configured terribly wrong, or
you're invoking it directly via an MTA alias, not as LDA.

I am calling procmail from the MTA.  I am also setting DROPPRIVS=yes,

DROPPRIVS is meaningless if the user it is delivering as _is_ root (or 
whoever the MTA invokes the PROG mailer as).  Procmail has no _user_ to 
drop down to.  When procmail is invoked with -m, it isn't running 
/etc/procmailrc (where DROPPRIVS tends to be used), and never "elevates" 
its privileges to have any to DROP.

But I am running procmail with -m.  It is invoked as follows from
sendmail.cf:
procmail -Y -m /etc/procmailrc $u $h

And the /etc/procmailrc file is used.  It must be, otherwise all the
changes I've been making to it over the last several years wouldn't
have modified behavior.

If you're invoking an rcfile from an alias, I'd consider using 
/etc/procmailrcs/ as a startpoint - own the stub file there by the user you 
want procmail to run as (see 'man procmailrc' which defines that directory 
to have special meaning to procmail), and have THAT rcfile INCLUDERC the 
${HOME}/.procmailrc of the user.  I haven't personally had a need to do 
this, but if I were attempting to invoke procmail from an MTA alias on 
behalf of a specific user, this is how I'd go about it.

I'm afraid I'm feeling a little slow here.  If I understand this
correctly, /etc/procmailrc should be owned by root, moved to
/usr/local/etc/procmailrcs/procmailrc, and should then INCLUDERC a
file (like ~/.procmailrc) owned by the user I want it to switch to.
And of course, the sendmail invocation should be more like 
procmail -Y -m /usr/local/etc/procmailrcs/procmailrc $u $h
Yes?

(the -d option to procmail should also be of interest to you, but since you 
haven't provided _ANY_ details on how you're invoking procmail, what your 
OS is, and the version of procmail for that matter, it's probably a bit 
premature for me to offer up specific commandline arguments).

I read that section:
       -d recipient ...
            This  turns  on explicit delivery mode, delivery will
            be to the local user  recipient.   This,  of  course,
            only  is possible if procmail has root privileges (or
            if procmail is already running with  the  recipient's
            euid and egid).  Procmail will setuid to the intended
            recipients and  delivers  the  mail  as  if  it  were
            invoked  by the recipient with no arguments (i.e., if
            no rcfile is found, delivery is like ordinary  mail).
            This option is incompatible with -p.

The question is wether this would hose the delivery that actually
happens at the end of the system wide procmailrc (currently
/etc/procmailrc)?  I guess I'll find out.

Oh, and my OS is FreeBSD 4.6 RELEASE, my MTA is sendmail, MDA is Cyrus
Imap (and procmail, of course), and my MUA is Mutt.  Procmail version
is procmail-3.22_1 installed from the ports.

BTW, as much as I used to like using procmail-users(_at_)procmail(_dot_)org, 
and as 
much as it *SHOULD* point to the correct address on the real list server - 
esp. since the procmail.org address is what is listed in the procmail help 
- it hasn't worked in _months_, so you should revise your Reply-to: (as I 
did long ago) if you hope to receieve many replies.

Ahh!  Will do.  Thanks!

Thank you very much for the pointers.  I'll try them out and post
feedback here.

Lou
-- 
Louis LeBlanc               leblanc(_at_)keyslapper(_dot_)org
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://www.keyslapper.org                     ԿԬ

Boling's postulate:
  If you're feeling good, don't worry.  You'll get over it.

_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail