spamassassin a possible security risk?

Matthew Miller mattdm at mattdm.org
Tue Oct 19 15:56:20 UTC 2004 

On Tue, Oct 19, 2004 at 02:40:39PM +0200, Thomas Zehetbauer wrote:
> > When run as root, it can setuid to the user running spamc. So that's
> > actually better.
> No, it sets it's user-id to the user supplied over an untrusted network
> connection. No authentication is attempted.

Hmmm, good point. The documentation says "the user running spamc", but
you're right, that's not strictly true. This really should be clarified in
the spamassassin documentation.

spamd *does* have the option to use ident, though, which would be
sigificantly better. (Since it *is* only bound to localhost, one would hope
one can trust the identd on the local machine.) However, this requires a
command line option that the Fedora package doesn't appear to use, and more
importantly, it requires the Net::Ident perl module, and perhaps even more
importantly, it requires the identd to tell the truth, at least to daemons
running locally.

I think there's a pretty good argument that the FC spamassassin package
should be changed to use this; filed as bug #136367.

<https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136367>

> > Everyone on the local host. And that's who it's designed for; not sure
> > this is a problem.
> No, linux uses the 'weak end host' model and spamd is not given the -A
> option so everyone who can send packages to 127.0.0.1 on any of the
> hosts network interfaces can connect.

See below.


> > > Binding to 127.0.0.1 is not secure as linux by default uses the 'weak
> > > end host' model.
> > Except Fedora, as Red Hat Linux before it, turns on source route
> > verification by default. (Look at /etc/sysctl.conf.) So, it doesn't.
> I doubt this can really prevent this type of attack but rather restrict
> them to the local network but I would appreciate some insight.

Source route verification means that packets are discarded if they don't
arrive via the expected interface -- in other words, Linux isn't restricted
to the "weak end host" model, and Fedora doesn't use it.

I understand that there is a problem, but it *is* constrained to localhost.

-- 
Matthew Miller           mattdm at mattdm.org        <http://www.mattdm.org/>
Boston University Linux      ------>                <http://linux.bu.edu/>

More information about the fedora-list mailing list