Re: spamassassin a possible security risk?
From: Mike Burger (mburger_at_bubbanfriends.org)
Date: Tue, 19 Oct 2004 12:10:22 -0500 (EST) To: For users of Fedora Core releases <firstname.lastname@example.org>
On Tue, 19 Oct 2004, Thomas Zehetbauer wrote:
> On Mon, 2004-10-18 at 21:36 -0500, John Thompson wrote:
> > Not on my FreeBSD machine:
> > Oct 18 21:27:30 amayatra spamd: info: setuid to root succeeded
> > Oct 18 21:27:30 amayatra spamd: Still running as root: user not
> > specified with -u, not found, or set to root. Fall back to nobody.
> Looks like you are ignoring two important security recommendations:
> 1.) never work as root
> 2.) root get's no mail
Root could get mail, but that's not the important thing.
Spamd, itself, is not what's at issue in that message...it's actually
spamc, or another program that is connecting to spamd in the same way
For example, the citadel project (http://www.citadel.org) can and will
check incoming messages through a direct connection to spamd. However,
while the citserver process runs as user "bbs" (at least on my system),
the connection to spamd is reported, by spamd, as coming from root, and I
see exactly the same message as above.
I'm not aware of any actual security issues, however, from a spamc type
client connecting to spamd as 'root'.
-- Mike Burger http://www.bubbanfriends.org Visit the Dog Pound II BBS telnet://dogpound2.citadel.org or http://dogpound2.citadel.org To be notified of updates to the web site, visit http://www.bubbanfriends.org/mailman/listinfo/site-update, or send a message to: email@example.com with a message of: subscribe -- fedora-list mailing list firstname.lastname@example.org To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list