[Mimedefang] defang script using chown or chgrp

[Jon Rowlan]

Hi David,

>> When I issue 
>> system('cp', 'INPUTMSG', "/mailstore/$recipient/$MsgID");

> That is NOT a good idea.  Allowing arbitrary attacker-supplied data to
> be used to construct a filename is asking for trouble... but anyway...

I don't understand. I have around 20 domains. Sendmail filters mails so
that I only accept mail to these domains therefore there is no ambiguity
or window of opportunity in $recipient (it actually only holds the
domain portion of the recipient name by this stage). $MsgID is a unique
name that is manufactured by sendmail. I am struggling to think of a way
that this can be abused by a third party. 

>> the message gets save correctly but with a user/group of "defang". I
>> want to chown or chgrp it so that it effectively belongs to or at
least
>> can be read by a user. The Maildir is in the users Home.

> You can't do what you want unless you run MIMEDefang as root (and of
course,
> MIMEDefang refuses to run as root, so....)

> You could (as you said) use a cron job to do the chown.  Or a SUID
> program (not recommended unless you are very careful).  Or use a
> database to store the messages instead of the file system.

I am going to use cron. I can see why chown/chgrp should be protected
from non root users and this whole exercise is simply to give my users
access to a bucket of their awaiting emails for when their internet
connection/server is down. These are in no way expected to be long term,
eventually their mail will be delivered normally. I can cron every 15
minutes quite comfortably. Using a database I am still left with a
problem. I need to pack the mail away in mimedefang but then unpack it
when the client wants access, although interestingly I had never
considered putting the mail into a database - its certainly food for
thought!!

Regards,

jON