procmail
[Top] [All Lists]

Re: VirusSnag.rc - modify to clean & pass through

2004-02-20 10:14:03
On Fri, Feb 20, 2004 at 06:00:52AM -0800, Ken Douglass @pacbell.net wrote:
from Dallman Ross...
The approach I would use would be via the NONDELIVER option 

Dallman,
It looks like you suggest putting the new recipes after INCLUDERC.
What I did was I set "NONDEL=yes" in virussnag.rc and I added the new

Thanks for catching that I meant to write "NONDEL" for "NONDELIVER".
I didn't notice my typo, because I already have NONDEL set in my
own rc, and the test harness I use imports that, so the mistake
of mine did not bite me during testing.  :)



recipes (as shown below) inside the your virussnag.rc file at the end.
Same thing, right?

Yes, though it's probably better not to edit working code to
try experiments that might not work.  Makes it tougher to
see where the problem is, and to go back to Square One.
Moreover, when I upgrade Virus Snaggers and you download a
new version, you will have to edit in all your changes again
manually.

I now get this error in my log...

 "cat: /usr/local/etc/procmail_virussnag-msg.txt: Permission denied"


Well, you seem to have created the file as root or some other
superuser and then made it unreadable by ordinary users. "chmod 644
virussnag-msg.txt" should solve that.


...when I have DROPPRIVS=yes. And the email is delivered as expected
with $HEADERS and $TENBODY printed, but $VIRUSMSG is missing.

But if I remove "DROPPRIVS=yes", then my lovely $VIRUSMSG is printed
in the email. What might be my trouble with DROPPRIVS=yes? And is
there a need to unset DROPPRIVS at the end?

Again, if you don't use DROPPRIVS, the entire thing is running as
root on your system (or whoever owns the /etc/procmailrc
stuff when handed off from the MTA).  This can be a security
risk as explained under "DROPPRIVS" in 'man procmailrc'; though
I doubt it is one in this particular instance.  Still, the
better habit is to get out of running lots of stuff for your
users in su mode as quickly as absolutely possible.

(No, you don't need to unset it, and doing so wouldn't do any
good anyway, as far as I know; it's a one-way switch down to
the user level from superuser.)

-- 
dman

_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail