In message <20010518203508.DCF0EC3at_private>, Greg A. Woods writes: >Personally I'm loathe to allow ordinary users to specify delivery to >programs in the first place, and forcing them at minimum to arrange for >their mail filters to run unprivileged seems like a very small price to >pay. I seem to recall this was the solution taken by the AT&T UPAS >mailer delivered as the default mailer on native UNIX System V Release 4. >That's certainly the way it works on Plan 9: > > Filtering > If the file /mail/box/username/pipeto exists and is read- > able and executable by everyone, it will be run for each > incoming message for the user. The message will be piped > to it rather than appended to his/her mail box. The file > is run as user `none'. That's more an artifact of Plan 9 than of upas -- upas on Unix did support 'Pipe to'. But Plan 9 has no notion of setuid nor (as I recall) of superuser, so it can't do that. And while there are certainly security issues with delivery to programs (that's why sendmail had to implement smrsh), not having write ability to per-user files causes problems for programs like 'vacation'. --Steve Bellovin, http://www.research.att.com/~smb
This archive was generated by hypermail 2b30 : Fri May 18 2001 - 19:32:00 PDT