>>>>> "Suresh" == Suresh Ramasubramanian <[EMAIL PROTECTED]> writes:
Suresh> [EMAIL PROTECTED] (Raju Mathur) [Friday, August 09,
Suresh> 2002 8:21 PM]:
>> Welcome back to the original question: How to permit all groups
>> except one to execute the sendmail binary. [1]
Suresh> Why, by the way? If remote execution by unauthorized
Suresh> users is what you are concerned with, the best way to go
Suresh> is -
Suresh> * Upgrade to the latest formmail from
Suresh> http://nms-cgi.sourceforge.net (fixes the horrendous bugs
Suresh> in Matt Wright's code)
Suresh> or
Suresh> * Move to something far better, like cgiemail
Suresh> (http://web.mit.edu/wwwdev/cgiemail/)
Aargh! *Beating head against wall* I'm using the Monkey-something
formmail.pl, which is reputed to be secure. But that DOES NOT secure
me from users installing and using THEIR OWN COPY of an insecure
formmail.pl! That is why I asked the question in the first place!
Let me put it in simple terms:
- I have a web server hosting lots of sites.
- Each site has a CGI directory of their own, for their CGI's.
- There is a system-wide (secure) formmail.pl that is meant to be used
by all clients.
- Some clients do not use the system-wide formmail.
- Some clients create and/or install their own formmail and use that.
- The client-written formmail's are usually insecure and permit
relaying.
- All the formmail's have similar functionality.
- All the formmail's call the sendmail binary to actually send the
mail.
- It doesn't matter which MTA the sendmail binary belongs to.
- The (MTA-agnostic) sendmail binary is needed to deliver mails to
user accounts. (This is a requirement. Read VishwaKarma source to
know why this is so.)
- The server gets into the blackhole lists when spammers exploit the
client-provided formmails.
OK, so what I want is (again in simple terms):
- How to fix things so that the system-provided formmail.pl can send
mails.
- How to fix things so that the client-provided formmail.pl's cannot
send mails.
- How to ignore the fact that the client could write a formmail that
talks directly to port 25 on localhost (which has relaying enabled
by default for itself). If he's smart enough to do that he's also
probably smart enough to prevent relaying. If not, I can catch him
on the envelope From or on ident.
Hope that makes it clear. But me no more buts about the sendmail
compatibility mode in other MTA's, installing procmail by breaking the
dependency on sendmail, list of secure formmail scripts, etc. please.
Suresh> [snip]
Regards,
-- Raju
--
Raju Mathur [EMAIL PROTECTED] http://kandalaya.org/
It is the mind that moves
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
linux-india-help mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/linux-india-help
