procmail perms (BLFS)
Although I am strongly considering using maildrop as a replacement for the BLFS default local mail delivery agent for fetchmail, I've been reading up further on the venerable procmail tool.
It's been essentially abandoned upstream for a decade and a half. Some see it as finished product in need of no further maintenance but the Debian-based distros have released at least 25 patches, some of which tackle vulnerabilities cited by CVE.
At minimum, my take is that BLFS installs it (using the "make install-suid" target) with permissions that are too wide open. Before I make the possible jump to maildrop, I've found these perms to be sufficient for both of /usr/bin/{procmail,lockfile}:
02511
Since both binaries are under the group mail and /var/mail is writable by that group, it makes sense to restrict the perms.
Any thoughts to the contrary?
Last edited by re_nelson; 11-13-2015 at 07:14 PM.
|