Re: global sieve rules (for all users)

On Mon, Jul 30, 2007, alexander benaguev <zulsigmatrans.ru> said:

> umask wrote:
>> May be Alexander Benaguev have examples of use
cases.
> I don't  have examples, just logic: users can manage
they scripts by 
> connecting to timsieved (it's part of dbmail), or they
can do this from 
> shell by dbmail-sievecmd. 'cose second case is
unlikely, you should 
> shutdown timsieved;)

Users should NEVER have access to dbmail-* commands. ALL of
the commands
potentially give access to ALL user data. They are designed
to be run on
closed servers where none of the users have shell access, or
have limited
shell access. That's why they're in /usr/sbin!

You might write some wrappers around the commands and allow
them to be
called from management scripts, but be damned sure to check
that you have
a -u option, that the value is of the user issuing the
command, and that
you escape the arguments fully (as with all shell
commands).

As for sieve script permissions, there might be some
interesting use cases
for restricting user access to edit scripts, and I think it
might fit in
nicely with ideas for system scripts, group/client scripts,
system-owned
user scripts, etc. Let's work out some of the ideas on a
wiki page:
http://d
bmail.org/dokuwiki/doku.php?id=sieve

Aaron
_______________________________________________
DBmail mailing list
DBmaildbmail.org
htt
ps://mailman.fastxs.nl/mailman/listinfo/dbmail