[wplug] SpamAssassin -- user_prefs security hole?

[James O'Kane]

On Tue, 25 May 2004, Brandon Kuczenski wrote:

> The SpamAssassin documentation explains that it is a security risk to
> allow individual users to write their own rules:
>
>    allow_user_rules { 0 | 1 }         (default: 0)
>        This setting allows users to create rules (and only rules) in their
>        "user_prefs" files for use with "spamd". It defaults to off,
>        because this could be a severe security hole. It may be possible
>        for users to gain root level access if "spamd" is run as root.
>
> Does anyone have an idea why this is?  If such a practice is discouraged,
> how are individual users supposed to customize their filters?  Are they
> *not* supposed to?  Whyever not?

If spamd (the daemon) is running as root, and users are able to create
their own rules, then when that rule is run, it will be run as root. I
haven't read all the man pages yet, but this might be a hint:

header SYMBOLIC_TEST_NAME eval:name_of_eval_method([arguments])

That implies that one could create a function called name_of_eval_method
(or anything) and include an appropriate header line in user_prefs and
that would be run as root. This gives the user the power to run arbitrary
perl code as root. In most cases, users won't need to create their own
tests. If they have a test that's useful to the server in general, they
could have it reviewed by you, and put into
/etc/mail/spamassassin/local.cf for example.

If this isn't just a question out of curiousity about that note in the man
page, you might be confusing creating a test, and changing the score of a
test. The latter is okay for users to do and isn't related to that
setting.

-james