### Copyright (C) 2001 John D. Hardin ### This program is free software; you can redistribute it and/or modify ### it under the terms of the GNU General Public License as published by ### the Free Software Foundation; either version 2 of the License, or ### (at your option) any later version. ### ### This program is distributed in the hope that it will be useful, ### but WITHOUT ANY WARRANTY; without even the implied warranty of ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ### GNU General Public License for more details. ### ### Contact the copyright holder for commercial licensing terms ### if you wish to incorporate this code into non-GPL software. ### # # # $Id: security-optout.procmail,v 0.4 2001-09-29 11:55:31-07 jhardin Exp jhardin $ # # Front-end for Procmail Sanitizer to ease configuration of $MANGLE_EXTENSIONS # # If you want to permit users to opt out of certain security behaviors # (e.g. don't mangle .eml attachments) then put a file named # "security-optout.procmail" (or whatever you like) in their home directory. # It should include lines like # SECURITY_OPTOUT_MAIL # (which should be easy to build from a web front end). # Standard shell commenting rules apply to this file. # # Add the following snippet to your /etc/procmailrc file. # Caveat: if you set an OPTOUT option, the user will not be able to unset it. # # SECURITY_OPTOUT_FILENAME="$HOME/security-optout.procmail" # # :0 # * ? test -s $SECURITY_OPTOUT_FILENAME # { # SECURITY_OPTOUT_OFFICE=${SECURITY_OPTOUT_OFFICE:-`grep SECURITY_OPTOUT_OFFICE $SECURITY_OPTOUT_FILENAME | sed -e 's/#.*//' -e 's/[^A-Z_]//g'`} # SECURITY_OPTOUT_HELP=${SECURITY_OPTOUT_HELP:-`grep SECURITY_OPTOUT_HELP $SECURITY_OPTOUT_FILENAME | sed -e 's/#.*//' -e 's/[^A-Z_]//g'`} # SECURITY_OPTOUT_MAIL=${SECURITY_OPTOUT_MAIL:-`grep SECURITY_OPTOUT_MAIL $SECURITY_OPTOUT_FILENAME | sed -e 's/#.*//' -e 's/[^A-Z_]//g'`} # SECURITY_OPTOUT_HTML=${SECURITY_OPTOUT_HTML:-`grep SECURITY_OPTOUT_HTML $SECURITY_OPTOUT_FILENAME | sed -e 's/#.*//' -e 's/[^A-Z_]//g'`} # SECURITY_OPTOUT_CLSID=${SECURITY_OPTOUT_CLSID:-`grep SECURITY_OPTOUT_CLSID $SECURITY_OPTOUT_FILENAME | sed -e 's/#.*//' -e 's/[^A-Z_]//g'`} # } # # Then perform your local policy setup as normal; you can use the # SECURITY_OPTOUT_* and SECURITY_EXTENSIONS_* variables to # configure local required policies, setting or clearing them as needed. # Clearing SECURITY_OPTOUT_* variables after the above block will prevent the # user from opting out of that security processing. If you're forcing # all users to use a specific security option (e.g. mangle help files), then # you can increase efficiency by omitting the relevant SECURITY_OPTOUT_*= # line from the above block (since you don't care what the user has asked for). # # Then add: # # INCLUDERC=/etc/procmail/security-optout.procmail # # before you call the sanitizer. This will build the # $MANGLE_EXTENSIONS variable based on the optout preferences. # # You can disable optout processing by setting $SECURITY_OPTOUT_DISABLE # before calling security-optout.procmail # # Remember: OPTOUT means mangling and poisoning # of those extensions is DISABLED! # # Default $MANGLE_EXTENSIONS as of 1.130: # 'html?|exe|com|cmd|bat|pif|sc[rt]|lnk|dll|ocx|do[ct]|xl[swt]|p[po]t|rtf|vb[se]?|hta|p[lm]|sh[bs]|hlp|chm|eml|ws[cfh]|ad[ep]|jse?|md[abew]|ms[ip]|reg|as[dfx]|cil|pps|wm[szd]|vcf|nws|\{[-0-9a-f]+\}' # # If you are using this with a pre-1.130 sanitizer, you ***MUST*** set # SECURITY_OPTOUT_CLSID=Y # Otherwise the sanitizer will crash. # # Reset this MANGLE_EXTENSIONS="" # If Opt-Out not disabled :0 * ! SECURITY_OPTOUT_DISABLE ?? [^ ] { # Set up extension families # if you want to (for example) permit .exe files, # you'd override SECURITY_EXTENSIONS_EXE # before calling /etc/procmail/security-optout.procmail :0 * ! SECURITY_EXTENSIONS_EXE ?? [^ ] { # directly executable, or otherwise dangerous SECURITY_EXTENSIONS_EXE='exe|com|cmd|bat|pif|sc[rt]|lnk|dll|ocx|vb[se]?|p[lm]|sh[bs]|ws[cfh]|ad[ep]|jse?|ms[ip]|reg|as[dfx]|cil|wm[szd]|nws' } :0 * ! SECURITY_EXTENSIONS_OFFICE ?? [^ ] { # MS Office SECURITY_EXTENSIONS_OFFICE='do[ct]|xl[swt]|p[po]t|rtf|md[abew]|pps' } :0 * ! SECURITY_EXTENSIONS_HELP ?? [^ ] { # Scriptable help files SECURITY_EXTENSIONS_HELP='hta|hlp|chm' } :0 * ! SECURITY_EXTENSIONS_MAIL ?? [^ ] { # RFC-822 attachments, etc. SECURITY_EXTENSIONS_MAIL='eml|vcf' } :0 * ! SECURITY_EXTENSIONS_HTML ?? [^ ] { # HTML attachments SECURITY_EXTENSIONS_HTML='html?' } # Build $MANGLE_EXTENSIONS based on optouts # Cannot opt out of EXEs... # override SECURITY_EXTENSIONS_EXE to fine-tune this MANGLE_EXTENSIONS="$SECURITY_EXTENSIONS_EXE" :0 * ! SECURITY_OPTOUT_OFFICE ?? [^ ] * SECURITY_EXTENSIONS_OFFICE ?? [^ ] { # MS Office MANGLE_EXTENSIONS="${MANGLE_EXTENSIONS}|${SECURITY_EXTENSIONS_OFFICE}" } :0 * ! SECURITY_OPTOUT_HELP ?? [^ ] * SECURITY_EXTENSIONS_HELP ?? [^ ] { # Scriptable help files MANGLE_EXTENSIONS="${MANGLE_EXTENSIONS}|${SECURITY_EXTENSIONS_HELP}" } :0 * ! SECURITY_OPTOUT_MAIL ?? [^ ] * SECURITY_EXTENSIONS_MAIL ?? [^ ] { # RFC-822 attachments, etc. MANGLE_EXTENSIONS="${MANGLE_EXTENSIONS}|${SECURITY_EXTENSIONS_MAIL}" } :0 * ! SECURITY_OPTOUT_HTML ?? [^ ] * SECURITY_EXTENSIONS_HTML ?? [^ ] { # HTML attachments MANGLE_EXTENSIONS="${MANGLE_EXTENSIONS}|${SECURITY_EXTENSIONS_HTML}" } :0 * ! SECURITY_OPTOUT_CLSID ?? [^ ] { # Class-ID extensions # WILL CRASH SANITIZERS OLDER THAN 1.130! MANGLE_EXTENSIONS="${MANGLE_EXTENSIONS}|\{[-0-9a-f]+\}" } MANGLE_EXTENSIONS=`echo "$MANGLE_EXTENSIONS" | sed -e 's/^|*//' -e 's/||*/|/g' -e 's/|*$//'` } # keep the environment small SECURITY_EXTENSIONS_EXE= SECURITY_EXTENSIONS_OFFICE= SECURITY_EXTENSIONS_HELP= SECURITY_EXTENSIONS_MAIL= SECURITY_EXTENSIONS_HTML= SECURITY_OPTOUT_OFFICE= SECURITY_OPTOUT_HELP= SECURITY_OPTOUT_MAIL= SECURITY_OPTOUT_HTML= SECURITY_OPTOUT_CLSID= SECURITY_OPTOUT_DISABLE= #eof