procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Limit user actions in .procmailrc

2015-05-21 06:19:28
from [@lbutlr] [Permanent Link] 
On Wed May 20 2015 10:46:58 lists(_at_)clifford(_dot_)ac said:


shanew(_at_)shanew(_dot_)net wrote to 
procmail(_at_)lists(_dot_)rwth-aachen(_dot_)de
[at 17:39 (-0500) on Tuesday, 19th May, 2015]:


Based on the discussion at
http://serverfault.com/questions/579192/procmail-is-ignoring-user-settings
I get the impression that when using procmail as your LDA (which I
should have said I am) setting DROPPRIVS=no prevents any reading of a
user .procmailrc.  Which I think is the opposite of what you're
saying, but it's the end of the day, so my brain may be playing tricks
on me.

That said, I'm not finding anything authoritative to back that up (nor
have I tested it, since I don't have a good test system to try it on).

On Tue, 19 May 2015, Alan Clifford wrote:


shanew(_at_)shanew(_dot_)net wrote to 
procmail(_at_)lists(_dot_)rwth-aachen(_dot_)de
[at 16:17 (-0500) on Tuesday, 19th May, 2015]:


Another idea that occurred to me would be to prevent .procmailrc
execution by setting DROPPRIVS equal to "no" in the system
/etc/procmailrc unless the LOGNAME value appears in a file that listed
allowed users?

Wouldn't you set DROPPRIVS to yes then deliver mail from within 
/etc/procmailrc?  Then ~/.procmailrc wouldn't be run at all.
Alan
(  Please address personal email to alan+1@ as email to lists@
 is only read from my subscribed lists. )






From man procmailrc


"DROPPRIVS If set to `yes' procmail will drop all privileges it might have 
had (suid or sgid).  This is only useful if you want to guarantee that the 
bottom half of the /etc/procmailrc file is executed on behalf of the 
recipient."

My understanding is that as soon as the recipes in /etc/procmailrc have been 
done and the program moves on to the the user's ~/.procmailrc, any privileges 
are automatically dropped.


That is correct, but the user’s .procmailrc is only executed if the procmailrc 
does not deliver the message.

A simple way to prevent users from having a .procmailrc run is to set:

DROPPRIVS=YES
:0
$DEFAULT

in the procmailrc.


-- 
"It's like those French have a different word for *everything*" - Steve
Martin



____________________________________________________________
procmail mailing list   Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)de
http://mailman.rwth-aachen.de/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Limit user actions in .procmailrc, Andrew Edelstein
Next by Date:  Time-based filtering in Procmail, @lbutlr
Previous by Thread:  Re: Limit user actions in .procmailrc, Andrew Edelstein
Next by Thread:  Re: Limit user actions in .procmailrc, Christopher P. Lindsey
Indexes:  [Date] [Thread] [Top] [All Lists]