[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

spamassassin a possible security risk?



Although I know of no exploit at the moment I find it quite risky that
Fedora currently comes configured to 

1) run spamd as root
1.1) allowing everyone to connect
1.2) trying to parse, lookup and impersonate an untrusted username
1.3) scanning e-mail messages on behalf of that user
1.3.1) using system resources
1.3.2) possibly executing external applications and accessing network
       accounts
2) start spamd as user
2.1) allowing everyone to connect
2.2) trying to use the configuration of an untrusted user
2.3) using system resources
2.4) possibly executing external applications and accessing network
     accounts

Binding to 127.0.0.1 is not secure as linux by default uses the 'weak
end host' model.

Evolution can be configured to not start/use spamd/spamc but this must
be changed using gconf-edit (/apps/evolution/mail/junk/sa/use_daemon).

Tom

-- 
  T h o m a s   Z e h e t b a u e r   ( TZ251 )
  PGP encrypted mail preferred - KeyID 96FFCB89
      finger thomasz hostmaster org for key

Prohibiting cryptography to prevent terrorism is as meaningful as
...prohibiting mumming to prevent bank robbery!



Attachment: signature.asc
Description: This is a digitally signed message part


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]