spamassassin a possible security risk?
Matthew Miller
mattdm at mattdm.org
Tue Oct 19 02:25:06 UTC 2004
On Tue, Oct 19, 2004 at 03:42:16AM +0200, Thomas Zehetbauer wrote:
> Although I know of no exploit at the moment I find it quite risky that
> Fedora currently comes configured to
> 1) run spamd as root
When run as root, it can setuid to the user running spamc. So that's
actually better.
> 1.1) allowing everyone to connect
Everyone on the local host. And that's who it's designed for; not sure this
is a problem.
> 1.2) trying to parse, lookup and impersonate an untrusted username
how's that?
> 1.3) scanning e-mail messages on behalf of that user
right.... that's what it does....
> 1.3.1) using system resources
as does anything the user runs. But if if the daemon can switch userids, I
presume you can then account this resource use to that user.
> 1.3.2) possibly executing external applications and accessing network
> accounts
Depending on the configuration, yeah. Although what it does on the network
is somewhat limited, and presumably reasonably checked for security.
Tricking spamassassin into doing something Bad on the network seems like a
valid concern, though.
> 2) start spamd as user
> 2.1) allowing everyone to connect
> 2.2) trying to use the configuration of an untrusted user
> 2.3) using system resources
> 2.4) possibly executing external applications and accessing network
> accounts
Anyone can write a trivial little daemon to do this. You can do it with
httpd, if you want. You can do it from the command line with 'nc', or you
could use zsh shell builtins.
> Binding to 127.0.0.1 is not secure as linux by default uses the 'weak
> end host' model.
Except Fedora, as Red Hat Linux before it, turns on source route
verification by default. (Look at /etc/sysctl.conf.) So, it doesn't.
--
Matthew Miller mattdm at mattdm.org <http://www.mattdm.org/>
Boston University Linux ------> <http://linux.bu.edu/>
More information about the fedora-list
mailing list