spamassassin a possible security risk?
Thomas Zehetbauer
thomasz at hostmaster.org
Tue Oct 19 01:42:16 UTC 2004
Although I know of no exploit at the moment I find it quite risky that
Fedora currently comes configured to
1) run spamd as root
1.1) allowing everyone to connect
1.2) trying to parse, lookup and impersonate an untrusted username
1.3) scanning e-mail messages on behalf of that user
1.3.1) using system resources
1.3.2) possibly executing external applications and accessing network
accounts
2) start spamd as user
2.1) allowing everyone to connect
2.2) trying to use the configuration of an untrusted user
2.3) using system resources
2.4) possibly executing external applications and accessing network
accounts
Binding to 127.0.0.1 is not secure as linux by default uses the 'weak
end host' model.
Evolution can be configured to not start/use spamd/spamc but this must
be changed using gconf-edit (/apps/evolution/mail/junk/sa/use_daemon).
Tom
--
T h o m a s Z e h e t b a u e r ( TZ251 )
PGP encrypted mail preferred - KeyID 96FFCB89
finger thomasz at hostmaster.org for key
Prohibiting cryptography to prevent terrorism is as meaningful as
...prohibiting mumming to prevent bank robbery!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 481 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20041019/0022a537/attachment-0001.sig>
More information about the fedora-list
mailing list