[Esd-l] Making procmail play "nice"

John D. Hardin jhardin at impsec.org
Sat Sep 27 13:12:00 PDT 2003


On Sat, 27 Sep 2003, Kenneth Porter wrote:

> This inspires me to suggest an improvement to the Sanitizer: Take
> the Perl out and run it in a daemon process, answering to a Unix
> domain socket. A small client can be invoked from procmail to send
> the message to be scanned to the daemon. The daemon should run in
> a non-root sandbox as it's not doing anything that requires
> privileges. This would eliminate the Perl start-up cost
> per-message, and eliminate the line-length issues in the current
> Sanitizer. It does make the setup messier as each OS has different
> ways to run a daemon.

I've thought about this, and would certainly like to, but for certain
operations I'd like to support there are complications.

The simplest model - a shared quarantine and a shared log - would be
easily doable. More complicated options for per-user isolation I
haven't dealt with before, and suggestions are welcomed.

How would the daemon determine the correct recipient UID to become for
operations like stripping executables to a file? How does it do that
without the parent daemon being root?

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  ...the Fates notice those who buy chainsaws...
                                              -- www.darwinawards.com
-----------------------------------------------------------------------
   39 days until Matrix Revolutions



More information about the esd-l mailing list