[wplug] SpamAssassin -- user_prefs security hole?

Brandon Kuczenski brandon at 301south.net
Wed May 26 01:25:18 EDT 2004 

> On Tue, 25 May 2004, Brandon Kuczenski wrote:
> 
> > The SpamAssassin documentation explains that it is a security risk to
> > allow individual users to write their own rules:
> >
> >    allow_user_rules { 0 | 1 }         (default: 0)
> >        This setting allows users to create rules (and only rules) in their
> >        "user_prefs" files for use with "spamd". It defaults to off,
> >        because this could be a severe security hole. It may be possible
> >        for users to gain root level access if "spamd" is run as root.
> >
> > Does anyone have an idea why this is?  If such a practice is discouraged,
> > how are individual users supposed to customize their filters?  Are they
> > *not* supposed to?  Whyever not?
> 
> If spamd (the daemon) is running as root, and users are able to create
> their own rules, then when that rule is run, it will be run as root. I
> haven't read all the man pages yet, but this might be a hint:
> 
> header SYMBOLIC_TEST_NAME eval:name_of_eval_method([arguments])
> 
> That implies that one could create a function called name_of_eval_method
> (or anything) and include an appropriate header line in user_prefs and
> that would be run as root. This gives the user the power to run arbitrary
> perl code as root. In most cases, users won't need to create their own
> tests. If they have a test that's useful to the server in general, they
> could have it reviewed by you, and put into
> /etc/mail/spamassassin/local.cf for example.

I see.  That is potent indeed.  Is there a way to make spamd not run as 
root? 

> 
> If this isn't just a question out of curiousity about that note in the man
> page, you might be confusing creating a test, and changing the score of a
> test. The latter is okay for users to do and isn't related to that
> setting.
> 

I was under the impression that the user_prefs file is not even read 
unless allow_user_rules is set.  But I just proved myself wrong with a 
simple test.

Do you know how I can access debugging information from spamd? I can't 
figure out where it gets stored, if anywhere.  Do I need to attach a 
stderr redirect to the spamd command?



-Brandon

More information about the wplug mailing list