[wplug] SpamAssassin -- user_prefs security hole?

Bill Moran wmoran at potentialtech.com
Wed May 26 16:16:29 EDT 2004 

Brandon Kuczenski wrote:
>>>>I see.  That is potent indeed.  Is there a way to make spamd not run as
>>>>root?
>>>>
>>>
>>>You could start it as a different user, but the problem would be similar.
>>>Users could run arbitrary perl as the user that is running spamd.
>>
> ....
> 
>>Running spamd as a special user (create a spamd user, for example) is
>>a good idea ... as long as you ensure that the spamd user doesn't have
>>access to anything dangerous.  You could even place various resource
>>limits on the spamd user to keep the process under control.  It's true
>>that any rules could run as user spamd ... just make sure that the
>>user spamd can't do anything dangerous!
> 
> <newbie>So.... how do I make a program run as a certain user?  At this 
> point I am starting spamd using Redhat's standard /etc/init.d/blarg 
> scripting paradigm (whoah, I think I actually used that word correctly!).

Generally, use su.  Something like this should work in an init script:

su spamduser -c spamd

(you probably need to use the full path to spamd in order for this to
work in an init script ...)
This assumes that you have a user called spamduser.

I haven't looked recently, but this construct is pretty common in
FreeBSD init scripts ... I'd be surprised if you didn't find any init
scripts on your Linux machine that weren't already doing this.

> Also, you mention resource limits... I haven't learned about those yet... 
> Can you point me to a handy reference?

This is one of those things I understand in FreeBSD and am only assuming
works in Linux.  A quick look at a nearby Fedora box didn't help me
any ... so I'll just explain how it works in FreeBSD and hope someone
can explain how it works in Linux.

In FreeBSD you have a file /etc/login.conf that can contain any number of
profiles, like this:

default:\
         :passwd_format=md5:\
         :copyright=/etc/COPYRIGHT:\
         :welcome=/etc/motd:\
         :setenv=MAIL=/var/mail/$,BLOCKSIZE=K,FTP_PASSIVE_MODE=YES:\
         :cputime=unlimited:\
         :datasize=unlimited:\
         :stacksize=unlimited:\
         :memorylocked=unlimited:\
         :memoryuse=unlimited:\
         :filesize=unlimited:\
    ...

This is the default profile, and it doesn't actually limit anything, in fact
it pretty much sets everything to unlimited.  Anyway, one can add profiles
with actual limits, such as limiting the amount of CPU a user can hog up,
or how much RAM they can allocate, or what the largest file they're allowed
to create is.

/etc/master.passwd (the "shadow password" file) contains a field for defining
which profile each user belongs to, so you can add different users to
different resource limit profiles.  If you don't define a profile, the system
gives them the "default" profile, which (as you can see) is unlimited by
default.

Now ... how Linux supplies the same functionality, I don't know ... anyone?
(I'd like to know ...)

As a side note, there are a number of add-on programs that can provide
similar capability.  DJB's softlimit comes to mind.

-- 
Bill Moran
Potential Technologies
http://www.potentialtech.com

More information about the wplug mailing list