Re: procmail

Brock Rozen (brozen@WEBDREAMS.COM)
Mon, 21 Jul 1997 10:34:32 -0400

On Mon, 21 Jul 1997, Illuminatus Primus wrote:

> > Here's a heads up to anyone running procmail v3.11pre4.
> >
> > FILES=| sed -n -e 's/^Subject:.*request \(.*\)/\1/p'
> >
> > | (cat; cat $FILES) | $SENDMAIL -oi -t

Obviously, you were not paying attention to procmailex well enough. It
*clearly* states that this is a dangerous script if you play around with
it too much

"it does not return files that have names starting with a dot, nor does it
allow files to be retrieved that are outside the fileserver directory
tree (if you decide to munge this example, make sure you do not
inadvertently loosen this last restriction)."

It tells you straight out that it includes built-in security in the
script, but if you play around too much that you should not play around
with one specific restriction -- which is the one that doesn't let you
retrieve any files outside of the directory you specify.

Yes, it can be a security problem, only if you leave it open. Much like
creating a root account w/o a password would leave a system vulnerable.
Both are security holes, but not flaws in the system.

-------------------------------------------------------------------------
| Brock Rozen | brozen@webdreams.com | http://www.webdreams.com/~brozen |
-------------------------------------------------------------------------