Date: 09 Mar 1998 20:32:15 +0100 From: Benedikt Stockebrand <benedikt@devnull.ruhr.de> To: Andreas Klemm <andreas@klemm.gtn.com> Cc: ache@FreeBSD.ORG, isp@FreeBSD.ORG, ports@FreeBSD.ORG, asami@FreeBSD.ORG Subject: Re: bugfix procmail port and discussion about general MAILSPOOLHOME var. Message-ID: <87pvjvpsn4.fsf@devnull.ruhr.de> In-Reply-To: Andreas Klemm's message of "Sat, 7 Mar 1998 15:24:18 %2B0100" References: <19980307152418.16939@klemm.gtn.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Andreas Klemm <andreas@klemm.gtn.com> writes:
> Another thing, many ISP's use procmail's ability, to store
> users mails into their home directory ($HOME/.mail).
So why wouldn't you want to use procmail?
> Perhaps one should make a note, that then the MUA has to be
> aware of the MAIL envireonment variable or pop server have to be
> patched, too look for the users mailbox in $HOME/.mail/loginname.
I'm not sure if I understand the security implications of this
approach. However, the local mail delivery programs are usually
setuid root or something and may rely on the fact that users can't
create files in /var/mail. If you really want to do this you'll have
to fix them so that they check for symlink attacks (like symlinking
~/.mail/loginname to /etc/master.passwd and then sending themselves a
msg containing a line "toot::0:0::0:0:Charlie \&:/root:/bin/csh") and
whatever else comes to the naughty mind.
That's not impossible but somewhat error-prone. If procmail already
provides such a feature it seems more reasonable to use it instead.
So long,
Ben
--
Ben(edikt)? Stockebrand --- Un*x system administrator looking for a job
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87pvjvpsn4.fsf>