Re: smail vs procmail

To: Mario Olimpio de Menezes <mario@curiango.ipen.br>
Cc: Debian User List <debian-user@lists.debian.org>
Subject: Re: smail vs procmail
From: dtm12@jhunix.hcf.jhu.edu (Daniel Martin at cush)
Date: Mon, 29 Dec 1997 23:30:46 -0500
Message-id: <[🔎] m0xmtKI-0003dPC@cush>
In-reply-to: Mario Olimpio de Menezes's message of "Mon, 29 Dec 1997 16:27:39 -0200 (EDT)"
References: <[🔎] Pine.LNX.3.96.971229161022.4176A-100000@curiango.ipen.br>

Mario Olimpio de Menezes <mario@curiango.ipen.br> writes:

> 	I have a .forward file with the following line:
> 
> "|IFS=' ' && p=/usr/bin/procmail && test -f $p && exec $p -Yf- || exit 75 #mario"
> 
> 	This used to work under sendmail. Now, I just replaced sendmail
> with smail and I can't get my email filtered trough procmail.
<snip>
> 	Looking at /var/adm/smail/logfile, I found:
> 
> 12/29/1997 16:00:01: [m0xmjTt-0000YCa] "|IFS=' ' && p=/usr/bin/procmail \
> && test -f $p && exec $p -Yf- || exit 75 #mario" ... director \
> dotforward: child of <mario> insecure, access as 'nobody'
> 12/29/1997 16:00:01: [m0xmjTt-0000YCa] Delivered TO:IFS=' ' &&  \
> p=/usr/bin/procmail && test -f $p && exec $p -Yf- || exit 75 #mario \
> ORIG-TO:<mario> DIRECTOR:dotforward TRANSPORT:pipe
> 
> 	Can somebody help to decipher this for me, please?

Short answer (probably): chmod go-w ~/.forward

Well, for some reason smail is saying that your .forward file is
insecure - the rules smail uses for determining this are explained in
the smaildrct manpage - search for the word "unsecure" and then go
back and forth from that.

My /etc/smail/directors file (which is as generated by smailconfig)
has the following:
dotforward:
        driver=forwardfile, owner=postmaster, nobody, sender_okay;
        file=~/.forward,
        checkowner, modemask=022, owners=root,
        unsecure=0-99:~ftp:~uucp:/tmp:/var/tmp,

This means that a .forward file will be considered "secure" iff:
1) It is owned by either the user associated with the file
   (checkowner), or by root (owners=root)
2) It is not writeable by the group or by others (modemask=022)
3) It is not owned by anyone with a UID in the range 0-99
   (unsecure=0-99), nor is it in the directories ~ftp, ~uucp, /tmp, or 
   /var/tmp.  (unsecure=...:~ftp:~uucp:/tmp:/var/tmp)

My suspicion is that your .forward file is writeable by members of
your group - in the debian default way of doing UIDs this isn't really 
a security hole, since each user is given her own group.  However, if
one is using a different user/group scheme for some reason, this could 
cause problems.  If your user ID happens to be between 0 and 99 for
some reason, then you can just change the list of unsecure UIDs in
/etc/smail/directors.

The reason why mail is failing is that when smail passes mail to a
pipe it considers "insecure", it runs the resulting child process as
user nobody, instead of your user ID.  I suspect that procmail is
trying to then modify files that (rightly) it can only modify when
it's you, not when it's the user nobody, and hence failing.  Somehow
this failure is not getting communicated to smail, which is
unfortunate, as that means that the mail isn't even accumulating in an 
error directory somewhere.

--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to:

References:
- smail vs procmail
  - From: Mario Olimpio de Menezes <mario@curiango.ipen.br>

Prev by Date: RE: .bash_profile and TCP/IP
Next by Date: Re: ppp log security (was: couldn't match host name or address)
Previous by thread: smail vs procmail
Next by thread: .bash_profile and TCP/IP
Index(es):
- Date
- Thread