Re: spamassassin a possible security risk?

[Ow Mun Heng <Ow Mun Heng wdc com>]

On Tue, 2004-10-19 at 10:53, Matthew Miller wrote:
> On Mon, Oct 18, 2004 at 09:36:17PM -0500, John Thompson wrote:
> > Not on my FreeBSD machine:
> 
> I don't think it's Fedora specific -- it's in the spamd man page, and it
> doesn't look like there's any special patches to that effect in the package.
> 
> > Oct 18 21:27:30 amayatra spamd[51657]: info: setuid to root succeeded
> > Oct 18 21:27:30 amayatra spamd[51657]: Still running as root: user not
> > specified with -u, not found, or set to root.  Fall back to nobody.
> > ~                                               ^^^^^^^^^^^^^^^^^^^
> 

I had that problem on gentoo during setup, You need to configure the OPT
flags for spamasssin.

cat /etc/sysconfig/spamassassin 
# Options to spamd
# -d  = daemonize it
# -c  = create user preference files (this is usually in
$HOME/.spamassassin)
# -a  = Use Auto Whitelist
# -m5 = Allow maximum # of children
# -u  = Drop priviledges and run as this user
# -x  = Disable user config files. (This way, spamd won't complain about
permission issues)
SPAMDOPTIONS="-d -c -a -m5 -u spamd -x -L"

Note the "-u"


-- 
Ow Mun Heng
Fedora GNU/Linux Core 2 on D600 1.4Ghz CPU kernel
2.6.7-2.jul1-interactive 
Neuromancer 11:36:41 up 2:12, 8 users, load average: 1.23, 1.31, 1.33