"Fossies" - the Fresh Open Source Software Archive

Member "security-optout.procmail" (29 Sep 2001, 6163 Bytes) of package /linux/privat/old/procmail-sanitizer.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 ### Copyright (C) 2001 John D. Hardin
    2 ### This program is free software; you can redistribute it and/or modify
    3 ### it under the terms of the GNU General Public License as published by
    4 ### the Free Software Foundation; either version 2 of the License, or
    5 ### (at your option) any later version.
    6 ###
    7 ### This program is distributed in the hope that it will be useful,
    8 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
    9 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   10 ### GNU General Public License for more details.
   11 ###
   12 ### Contact the copyright holder for commercial licensing terms
   13 ### if you wish to incorporate this code into non-GPL software.
   14 ###
   15 #
   16 # <jhardin@impsec.org>
   17 # $Id: security-optout.procmail,v 0.4 2001-09-29 11:55:31-07 jhardin Exp jhardin $
   18 #
   19 # Front-end for Procmail Sanitizer to ease configuration of $MANGLE_EXTENSIONS
   20 #
   21 # If you want to permit users to opt out of certain security behaviors
   22 # (e.g. don't mangle .eml attachments) then put a file named
   23 # "security-optout.procmail" (or whatever you like) in their home directory.
   24 # It should include lines like
   25 #    SECURITY_OPTOUT_MAIL
   26 # (which should be easy to build from a web front end).
   27 # Standard shell commenting rules apply to this file.
   28 #
   29 # Add the following snippet to your /etc/procmailrc file.
   30 # Caveat: if you set an OPTOUT option, the user will not be able to unset it.
   31 #
   32 #  SECURITY_OPTOUT_FILENAME="$HOME/security-optout.procmail"
   33 #
   34 #  :0
   35 #  * ? test -s $SECURITY_OPTOUT_FILENAME
   36 #  {
   37 #    SECURITY_OPTOUT_OFFICE=${SECURITY_OPTOUT_OFFICE:-`grep SECURITY_OPTOUT_OFFICE $SECURITY_OPTOUT_FILENAME | sed -e 's/#.*//' -e 's/[^A-Z_]//g'`}
   38 #    SECURITY_OPTOUT_HELP=${SECURITY_OPTOUT_HELP:-`grep SECURITY_OPTOUT_HELP $SECURITY_OPTOUT_FILENAME | sed -e 's/#.*//' -e 's/[^A-Z_]//g'`}
   39 #    SECURITY_OPTOUT_MAIL=${SECURITY_OPTOUT_MAIL:-`grep SECURITY_OPTOUT_MAIL $SECURITY_OPTOUT_FILENAME | sed -e 's/#.*//' -e 's/[^A-Z_]//g'`}
   40 #    SECURITY_OPTOUT_HTML=${SECURITY_OPTOUT_HTML:-`grep SECURITY_OPTOUT_HTML $SECURITY_OPTOUT_FILENAME | sed -e 's/#.*//' -e 's/[^A-Z_]//g'`}
   41 #    SECURITY_OPTOUT_CLSID=${SECURITY_OPTOUT_CLSID:-`grep SECURITY_OPTOUT_CLSID $SECURITY_OPTOUT_FILENAME | sed -e 's/#.*//' -e 's/[^A-Z_]//g'`}
   42 #  }
   43 #
   44 # Then perform your local policy setup as normal; you can use the
   45 # SECURITY_OPTOUT_* and SECURITY_EXTENSIONS_* variables to
   46 # configure local required policies, setting or clearing them as needed.
   47 # Clearing SECURITY_OPTOUT_* variables after the above block will prevent the
   48 # user from opting out of that security processing. If you're forcing
   49 # all users to use a specific security option (e.g. mangle help files), then
   50 # you can increase efficiency by omitting the relevant SECURITY_OPTOUT_*=
   51 # line from the above block (since you don't care what the user has asked for).
   52 #
   53 # Then add:
   54 #
   55 #    INCLUDERC=/etc/procmail/security-optout.procmail
   56 #
   57 # before you call the sanitizer. This will build the
   58 # $MANGLE_EXTENSIONS variable based on the optout preferences.
   59 #
   60 # You can disable optout processing by setting $SECURITY_OPTOUT_DISABLE
   61 # before calling security-optout.procmail
   62 #
   63 # Remember: OPTOUT means mangling and poisoning
   64 #           of those extensions is DISABLED!
   65 #
   66 # Default $MANGLE_EXTENSIONS as of 1.130:
   67 #  'html?|exe|com|cmd|bat|pif|sc[rt]|lnk|dll|ocx|do[ct]|xl[swt]|p[po]t|rtf|vb[se]?|hta|p[lm]|sh[bs]|hlp|chm|eml|ws[cfh]|ad[ep]|jse?|md[abew]|ms[ip]|reg|as[dfx]|cil|pps|wm[szd]|vcf|nws|\{[-0-9a-f]+\}'
   68 #
   69 # If you are using this with a pre-1.130 sanitizer, you ***MUST*** set
   70 #   SECURITY_OPTOUT_CLSID=Y
   71 # Otherwise the sanitizer will crash.
   72 #
   73 
   74 # Reset this
   75 MANGLE_EXTENSIONS=""
   76 
   77 # If Opt-Out not disabled
   78 :0
   79 * ! SECURITY_OPTOUT_DISABLE ?? [^ ]
   80 {
   81   # Set up extension families
   82   # if you want to (for example) permit .exe files,
   83   # you'd override SECURITY_EXTENSIONS_EXE
   84   # before calling /etc/procmail/security-optout.procmail
   85 
   86   :0
   87   * ! SECURITY_EXTENSIONS_EXE ?? [^ ]
   88   {
   89     # directly executable, or otherwise dangerous
   90     SECURITY_EXTENSIONS_EXE='exe|com|cmd|bat|pif|sc[rt]|lnk|dll|ocx|vb[se]?|p[lm]|sh[bs]|ws[cfh]|ad[ep]|jse?|ms[ip]|reg|as[dfx]|cil|wm[szd]|nws'
   91   }
   92   
   93   :0
   94   * ! SECURITY_EXTENSIONS_OFFICE ?? [^ ]
   95   {
   96     # MS Office
   97     SECURITY_EXTENSIONS_OFFICE='do[ct]|xl[swt]|p[po]t|rtf|md[abew]|pps'
   98   }
   99   
  100   :0
  101   * ! SECURITY_EXTENSIONS_HELP ?? [^ ]
  102   {
  103     # Scriptable help files
  104     SECURITY_EXTENSIONS_HELP='hta|hlp|chm'
  105   }
  106   
  107   :0
  108   * ! SECURITY_EXTENSIONS_MAIL ?? [^ ]
  109   {
  110     # RFC-822 attachments, etc.
  111     SECURITY_EXTENSIONS_MAIL='eml|vcf'
  112   }
  113   
  114   :0
  115   * ! SECURITY_EXTENSIONS_HTML ?? [^ ]
  116   {
  117     # HTML attachments
  118     SECURITY_EXTENSIONS_HTML='html?'
  119   }
  120   
  121   # Build $MANGLE_EXTENSIONS based on optouts
  122   
  123   # Cannot opt out of EXEs...
  124   # override SECURITY_EXTENSIONS_EXE to fine-tune this
  125   MANGLE_EXTENSIONS="$SECURITY_EXTENSIONS_EXE"
  126 
  127   :0
  128   * ! SECURITY_OPTOUT_OFFICE ?? [^ ]
  129   *   SECURITY_EXTENSIONS_OFFICE ?? [^ ]
  130   {
  131     # MS Office
  132     MANGLE_EXTENSIONS="${MANGLE_EXTENSIONS}|${SECURITY_EXTENSIONS_OFFICE}"
  133   }
  134   
  135   :0
  136   * ! SECURITY_OPTOUT_HELP ?? [^ ]
  137   *   SECURITY_EXTENSIONS_HELP ?? [^ ]
  138   {
  139     # Scriptable help files
  140     MANGLE_EXTENSIONS="${MANGLE_EXTENSIONS}|${SECURITY_EXTENSIONS_HELP}"
  141   }
  142   
  143   :0
  144   * ! SECURITY_OPTOUT_MAIL ?? [^ ]
  145   *   SECURITY_EXTENSIONS_MAIL ?? [^ ]
  146   {
  147     # RFC-822 attachments, etc.
  148     MANGLE_EXTENSIONS="${MANGLE_EXTENSIONS}|${SECURITY_EXTENSIONS_MAIL}"
  149   }
  150   
  151   :0
  152   * ! SECURITY_OPTOUT_HTML ?? [^ ]
  153   *   SECURITY_EXTENSIONS_HTML ?? [^ ]
  154   {
  155     # HTML attachments
  156     MANGLE_EXTENSIONS="${MANGLE_EXTENSIONS}|${SECURITY_EXTENSIONS_HTML}"
  157   }
  158 
  159   :0
  160   * ! SECURITY_OPTOUT_CLSID ?? [^ ]
  161   {
  162     # Class-ID extensions
  163     # WILL CRASH SANITIZERS OLDER THAN 1.130!
  164     MANGLE_EXTENSIONS="${MANGLE_EXTENSIONS}|\{[-0-9a-f]+\}"
  165   }
  166 
  167   MANGLE_EXTENSIONS=`echo "$MANGLE_EXTENSIONS" | sed -e 's/^|*//' -e 's/||*/|/g' -e 's/|*$//'`
  168 }
  169 
  170 # keep the environment small
  171 SECURITY_EXTENSIONS_EXE=
  172 SECURITY_EXTENSIONS_OFFICE=
  173 SECURITY_EXTENSIONS_HELP=
  174 SECURITY_EXTENSIONS_MAIL=
  175 SECURITY_EXTENSIONS_HTML=
  176 SECURITY_OPTOUT_OFFICE=
  177 SECURITY_OPTOUT_HELP=
  178 SECURITY_OPTOUT_MAIL=
  179 SECURITY_OPTOUT_HTML=
  180 SECURITY_OPTOUT_CLSID=
  181 
  182 SECURITY_OPTOUT_DISABLE=
  183 
  184 #eof