[Gllug] spamassassin question

Nix nix at esperi.org.uk
Sun May 4 19:30:46 UTC 2008


On 3 May 2008, Bruce Richardson uttered the following:
> You could "fix" this by running spamd as root but that makes your system
> significantly more insecure; any security vulnerability in spamd then
> becomes a root exploit.

Well, no. spamd *always* drops its permissions to the user receiving the
mail before beginning its check, so the only parts running as root are
the fork-scaling/child-management/connection-acceptance code, which do
not depend on user input.

You're still vulnerable to a perl bug causing state corruption such that
arbitrary code is executed when the spamd child switches back to root
ownership, but if you're concerned about that you can run spamd with
--max-conn-per-child=1, which will slow spamd down quite a lot but
ensure that only one connection is handled by a given spamd instance,
and that spamd instances never become root again once dropping
privileges.

-- 
`If you are having a "ua luea luea le ua le" kind of day, I can only
 assume that you are doing no work due [to] incapacitating nausea caused 
 by numerous lazy demons.' --- Frossie
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list