Peter W wrote: >To protect users from each others' ~/.forward instructions, it is necessary, >as Wietse said, for the delivery agent to start with superuser privileges. I'm not convinced. Imagine: ~/.forward-program could be a setuid executable, owned by the user, and a non-root delivery agent could exec() the relevant ~/.forward-program. Why can't this approach be made to work? What am I missing? (You might be concerned that malicious users on the same system could inject forged mail by themselves exec()ing the ~/.forward-program. But this threat can be countered in several ways. For instance, we could use file permissions: make ~/.forward-program mode 750, with group 'mail', and have the delivery program run under user 'nobody', group 'mail'. Or, we could use crypto: Create a public/private keypair for the delivery agent, put the public key in /etc/agent.pub, have the delivery agent sign the input it sends to ~/.forward-program, and have ~/.forward-program check the signature on its input against /etc/agent.pub.)
This archive was generated by hypermail 2b30 : Sat May 19 2001 - 19:18:36 PDT