Re: procmail

[dennis () bconnex net (Dennis Simpson)]

> 'ftponly' accounts, i.e. people grab email via pop, but also have ftp
> access for maintaingin their web pages, with a 'shell' that prints a
> message and exits, then the following is possible to work around such
> security...

What security?

> (.procmailrc contents)
> (end .procmailrc)
>
>   Then email yourself with something with the password in the subject
> line and an xterm gets popped up on the display, running the given
> shell, thus bypassing any 'locked account' or 'ftponly' shells...

If the account is locked, how did they create the .procmailrc?
If the account is ftponly, how do they get access to ftp to this
obvious place for much more interesting mayhem than .procmailrc
xterms?

What security?

>   I'm sure procmail MUST have some security feature to disallow this
> sort of thing? But I could be wrong, and haven't checked the manual
> pages yet.

What for? What are you asking procmail to defend against? The admin?

>   For now I'm going to make procmail only executeable by a certain
> group, and stick the 'admin' types in that.
>
>   Of course if you don't NEED X on the mail server, just delete it and
> it removes THIS particular exploit. BUT I'd feel more comfortable with
> making procmail only executeable by 'internal' accounts. The customer,
> in our case, isn't PAYING for a shell account, and so shouldn't get ANY
> of the facilites of one... Never mind the security issues...

If the customer isn't paying for a shell account, don't give them one.
Point their home directory at something they cannot write, or something
non-existent.  Or do it with their .procmailrc if they don't have write
access to their home directory, but you do want them to have some
standard procmailrc recipe (one unsuitable for a global procmailrc).
Don't provide them with a shell.  If they don't need procmail, don't use
it to deliver their email.

If you give them shell access to put up web pages, worrying about their
being able to start an xterm this way versus another seems nonsensical
to me.  I don't actually see why "shell access" is necessary for putting
up web pages.  Why not let them ftp to their web page directories, but
restrict their home directories (if they have one)?

Am I missing something too simple here?

Thx,
dennis