Hi,
I was wondering if anyone had considered adding the ability to restrict the pre/postconnect fields on the Fetchmail Mail Retrieval server configuration page. I'm not seeing anything in the Webmin/Usermin fetchmail code and it appears that fetchmail itself has no way to disable or limit these settings, it just does a system() call prior to and/or after the mail server connection. I understand the purpose of these settings but would rather not allow arbitrary command execution on the server. For the few of our users that might make use of the Fetchmail feature, I doubt any would actually need the pre/postconnect settings.
I am aware of the folder options where you can pull in another POP3/IMAP server but I thought it might be nice to include the Fetchmail feature as well since it works a bit differently. I've been thinking about writing a wrapper that would strip out these lines from the config file but that's hardly optimal, plus I'm worried that I might miss something. The way the fetchmail binary is called could change, an alternate config file used, etc, and then all that was for naught.
I'd think this would be a fairly easy change, testing some $config/other variables in the index, edit, and save CGI scripts, although I realize there's some localization involved for new settings so it would still be a bit of work...
I don't know if this would be a worthwhile feature for everyone. It makes sense to me but if there's no call for it I'll try to figure out another way for us.
Thanks alot,
Mike
Comments
Submitted by JamieCameron on Thu, 10/05/2017 - 23:56 Comment #1
I suppose we could do this, however if the user has FTP access they could just directly edit their
.fetchmailrc
file to add these directives manually (once Fetchmail has been setup).Submitted by mhokenson on Fri, 10/06/2017 - 10:48 Comment #2
Yeah, I didn't think about that...
The only way to make it work would be to add some configuration for the FTP server to restrict access to that file. ProFTPd can do that but I don't know about everything else. Not a good idea to rely on restrictions in external components to help enforce an RFE elsewhere. It's way too hackish.
Probably the best way for other interested parties to accomplish this is simply to modify the source for fetchmail to ignore these settings and then tell their users.
I think we can call it a day with this bug. I'll go ahead and close it out as a won't fix. Maybe in the future fetchmail will have an option to ignore these settings and the issue could be revisited.
Thanks for the reply though!
Mike