[Esd-l] Making procmail play "nice"
John D. Hardin
jhardin at impsec.org
Sat Sep 27 13:12:00 PDT 2003
On Sat, 27 Sep 2003, Kenneth Porter wrote:
> This inspires me to suggest an improvement to the Sanitizer: Take
> the Perl out and run it in a daemon process, answering to a Unix
> domain socket. A small client can be invoked from procmail to send
> the message to be scanned to the daemon. The daemon should run in
> a non-root sandbox as it's not doing anything that requires
> privileges. This would eliminate the Perl start-up cost
> per-message, and eliminate the line-length issues in the current
> Sanitizer. It does make the setup messier as each OS has different
> ways to run a daemon.
I've thought about this, and would certainly like to, but for certain
operations I'd like to support there are complications.
The simplest model - a shared quarantine and a shared log - would be
easily doable. More complicated options for per-user isolation I
haven't dealt with before, and suggestions are welcomed.
How would the daemon determine the correct recipient UID to become for
operations like stripping executables to a file? How does it do that
without the parent daemon being root?
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin at impsec.org pgpk -a jhardin at impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
39 days until Matrix Revolutions
More information about the esd-l
mailing list