Date: 09 Mar 1998 20:32:15 +0100 From: Benedikt Stockebrand <benedikt@devnull.ruhr.de> To: Andreas Klemm <andreas@klemm.gtn.com> Cc: ache@FreeBSD.ORG, isp@FreeBSD.ORG, ports@FreeBSD.ORG, asami@FreeBSD.ORG Subject: Re: bugfix procmail port and discussion about general MAILSPOOLHOME var. Message-ID: <87pvjvpsn4.fsf@devnull.ruhr.de> In-Reply-To: Andreas Klemm's message of "Sat, 7 Mar 1998 15:24:18 %2B0100" References: <19980307152418.16939@klemm.gtn.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Andreas Klemm <andreas@klemm.gtn.com> writes: > Another thing, many ISP's use procmail's ability, to store > users mails into their home directory ($HOME/.mail). So why wouldn't you want to use procmail? > Perhaps one should make a note, that then the MUA has to be > aware of the MAIL envireonment variable or pop server have to be > patched, too look for the users mailbox in $HOME/.mail/loginname. I'm not sure if I understand the security implications of this approach. However, the local mail delivery programs are usually setuid root or something and may rely on the fact that users can't create files in /var/mail. If you really want to do this you'll have to fix them so that they check for symlink attacks (like symlinking ~/.mail/loginname to /etc/master.passwd and then sending themselves a msg containing a line "toot::0:0::0:0:Charlie \&:/root:/bin/csh") and whatever else comes to the naughty mind. That's not impossible but somewhat error-prone. If procmail already provides such a feature it seems more reasonable to use it instead. So long, Ben -- Ben(edikt)? Stockebrand --- Un*x system administrator looking for a job To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87pvjvpsn4.fsf>