procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Limit user actions in .procmailrc

2015-05-19 16:20:36
from [shanew] [Permanent Link] 
I'm updating a fairly old and very idiosyncratic mail system, and one
of the features of this system is that only explicitly listed users
can call external commands from within a .procmailrc.  I think this is
actually accomplished by having both a "regular" procmail for the
listed users, but a "hobbled" procmail that was locally compiled to
disallow such things, but in any case, I'm wondering what options I
have to recreate similar functionality?

Is there something equivalent to sendmail's smrsh functionality for
procmail?

I've looked briefly at jailkit and jk_procmailwrapper, but it has
pretty limited documentation and makes it look like users already need
to live in jailed shells as well as requiring a non-standard mailbox
location, so it's definitely not my first choice.

Another idea that occurred to me would be to prevent .procmailrc
execution by setting DROPPRIVS equal to "no" in the system
/etc/procmailrc unless the LOGNAME value appears in a file that listed
allowed users?  Does this even seem do-able?  I don't know if this
would be an acceptable solution for us, but I won't even bother trying
if it's not possible (or just a plain "Bad Idea").

Somewhat related to that, is it possible to set DROPPRIVS to yes, and
then change it to no later in /etc/procmailrc?  I'm thinking of a
situation where the system procmailrc might look for a user with a
vacation message setup, drop to being them to run vacation, and then
set DROPPRIVS=no to prevent any .procmail from being executed.

Thanks for any insight you might have to offer

--
Public key #7BBC68D9 at            |                 Shane Williams
http://pgp.mit.edu/                |      System Admin - UT CompSci
=----------------------------------+-------------------------------
All syllogisms contain three lines |              shanew(_at_)shanew(_dot_)net
Therefore this is not a syllogism  | www.ischool.utexas.edu/~shanew
____________________________________________________________
procmail mailing list   Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)de
http://mailman.rwth-aachen.de/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Next by Date:  Re: Limit user actions in .procmailrc, Alan Clifford
Next by Thread:  Re: Limit user actions in .procmailrc, Alan Clifford
Indexes:  [Date] [Thread] [Top] [All Lists]