[3080] in bugtraq
Re: procmail
daemon@ATHENA.MIT.EDU (Ficus Kirkpatrick)
Wed Aug 7 17:29:39 1996
Date: Wed, 7 Aug 1996 13:57:19 -0700
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Ficus Kirkpatrick <ficusk@on-ramp.ior.com>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <199608070547.IAA15038@dionysos.fmi.fi>
(Kari.Hurtta@dionysos.fmi.fi)
> I'm sure procmail MUST have some security feature to disallow this
> sort of thing? But I could be wrong, and haven't checked the manual
> pages yet.
Sendmail disallows this short things by not allowing pipes in .forward
if user have not valid shell (listed in /etc/shells). Yes, if you
use procmail as local delivery agent, then you need same kind mechanism
in procmail also (if it allows piping mail to programs).
The problem there is that for an 'ftp only' account, the shell has to
be in /etc/shells, or FTP will not work (with most FTP servers).
Ficus
