On 4/10/2011 8:33 PM, jeremy.als...@imap-mail.com wrote:
Hello.
I'm plugging along on content filtering for Postfix.
I decided to have PostFix use 'spampd', the Spamassassin Proxy Daemon,
instead of 'spamd', and to set up ClamAV as a SpamAssassin plugin.
I read that it's pretty easy to open up some nasty holes in your
security if you get users& permissions wrong. I'm not sure what the
right mix is to avoid that.
If PostFix is running as user 'postfix', what user& group should spamd
& clamd be set to run as? It looks like my options are any of 'root',
'nobody', 'postfix', or something unique to both Daemons like 'spam' and
'clam'.
I'm able to get mail moving around using different combinations, but
really can't figure out what the safest combination is.
Any pointers to share?
Jeremy Alsten
It's not that there's a magic formula, but ideally you just want to
apply the principle of Least Privilege and reason it out from there.
UIDs/GIDs need to be shared only if directories and/or files (including
'special' files such as named pipes and sockets) are shared.
In some cases, plain old information that is not sensitive at all, that
needs to be accessible read-only to whomever, may be left
world-readable. This applies for example to local postfix documentation.
Any system configuration of any kind is arguably sensitive.
In the case of spamd (not familiar with spampd but I'm assuming it's
similar), no files are shared with Postfix*. So running spamc/spamd
under user 'postfix' would grant 'spamc'/'spamd' excess privilege. The
postfix filter forwards via an anonymous pipe the data to the spamc
process, which, since it's running as user 'spam' (in my case), has
privileges to write to the "spamd.sock" special file. 'spamd', also
running under user 'spam' has of course read privileges and picks up the
data from the socket special file and processes it further, re-injecting
it to the postfix delivery agent as necessary. Again this happens via
standard anonymous pipes so no user/group privileges need be in common.
I can't common on clamav but look carefully at its architecture and
reason it out the same way.
*one could argue that if spamd is configured to consult the same SQL
backend as Postfix in order to customize its treatment of individual
users, there is some database-level sharing in principle, but I write
that more for legalistic completeness.
-Daniel
