In message <[EMAIL PROTECTED]>, Greg A. Woods writes:
>Personally I'm loathe to allow ordinary users to specify delivery to
>programs in the first place, and forcing them at minimum to arrange for
>their mail filters to run unprivileged seems like a very small price to
>pay. I seem to recall this was the solution taken by the AT&T UPAS
>mailer delivered as the default mailer on native UNIX System V Release 4.
>That's certainly the way it works on Plan 9:
>
> Filtering
> If the file /mail/box/username/pipeto exists and is read-
> able and executable by everyone, it will be run for each
> incoming message for the user. The message will be piped
> to it rather than appended to his/her mail box. The file
> is run as user `none'.
That's more an artifact of Plan 9 than of upas -- upas on Unix did
support 'Pipe to'. But Plan 9 has no notion of setuid nor (as I
recall) of superuser, so it can't do that. And while there are
certainly security issues with delivery to programs (that's why
sendmail had to implement smrsh), not having write ability to per-user
files causes problems for programs like 'vacation'.
--Steve Bellovin, http://www.research.att.com/~smb
