Peter W wrote:
>To protect users from each others' ~/.forward instructions, it is necessary,
>as Wietse said, for the delivery agent to start with superuser privileges.
I'm not convinced. Imagine: ~/.forward-program could be a
setuid executable, owned by the user, and a non-root delivery
agent could exec() the relevant ~/.forward-program. Why can't
this approach be made to work? What am I missing?
(You might be concerned that malicious users on the same
system could inject forged mail by themselves exec()ing the
~/.forward-program. But this threat can be countered in several
ways. For instance, we could use file permissions: make
~/.forward-program mode 750, with group 'mail', and have the
delivery program run under user 'nobody', group 'mail'. Or,
we could use crypto: Create a public/private keypair for the
delivery agent, put the public key in /etc/agent.pub, have the
delivery agent sign the input it sends to ~/.forward-program,
and have ~/.forward-program check the signature on its input
against /etc/agent.pub.)