[wplug] SpamAssassin -- user_prefs security hole?
Brandon Kuczenski
brandon at 301south.net
Wed May 26 01:25:18 EDT 2004
> On Tue, 25 May 2004, Brandon Kuczenski wrote:
>
> > The SpamAssassin documentation explains that it is a security risk to
> > allow individual users to write their own rules:
> >
> > allow_user_rules { 0 | 1 } (default: 0)
> > This setting allows users to create rules (and only rules) in their
> > "user_prefs" files for use with "spamd". It defaults to off,
> > because this could be a severe security hole. It may be possible
> > for users to gain root level access if "spamd" is run as root.
> >
> > Does anyone have an idea why this is? If such a practice is discouraged,
> > how are individual users supposed to customize their filters? Are they
> > *not* supposed to? Whyever not?
>
> If spamd (the daemon) is running as root, and users are able to create
> their own rules, then when that rule is run, it will be run as root. I
> haven't read all the man pages yet, but this might be a hint:
>
> header SYMBOLIC_TEST_NAME eval:name_of_eval_method([arguments])
>
> That implies that one could create a function called name_of_eval_method
> (or anything) and include an appropriate header line in user_prefs and
> that would be run as root. This gives the user the power to run arbitrary
> perl code as root. In most cases, users won't need to create their own
> tests. If they have a test that's useful to the server in general, they
> could have it reviewed by you, and put into
> /etc/mail/spamassassin/local.cf for example.
I see. That is potent indeed. Is there a way to make spamd not run as
root?
>
> If this isn't just a question out of curiousity about that note in the man
> page, you might be confusing creating a test, and changing the score of a
> test. The latter is okay for users to do and isn't related to that
> setting.
>
I was under the impression that the user_prefs file is not even read
unless allow_user_rules is set. But I just proved myself wrong with a
simple test.
Do you know how I can access debugging information from spamd? I can't
figure out where it gets stored, if anywhere. Do I need to attach a
stderr redirect to the spamd command?
-Brandon
More information about the wplug
mailing list