On Thu, 23 May 2002, Craig R Hughes wrote:
> If you're using spamd, you can't put rules in user_prefs, for security reasons,
> unless you turn on the option which lets you do that. But the option creates
> security holes. You can, however, put extra rules in
> /etc/mail/spamassassin/local.cf and they will be used for everyone.
>
> Be sure to restart spamd after making any changes in local.cf
>
Hello, I have my user_prefs in a sql database. The whitelist_from,
blacklist_from, etc. options are working fine.
Since we are using a sql database for the user preferences only accessible
to admins, I'm experimenting with rules in sql based user_prefs using
allow_user_rules 1 in local.cf
Question1: If one trusts that entry of rules into the database is
controlled, and thus eval statements and regexes, etc. cannot
be inserted, is there still a security issue using this approach that I
haven't considered.
Question2: I have read in the
SQL readme: . "Note that this will NOT look for test rules, only local
scores, whitelist_from(s), required_hits, and auto_report_threshold.";
however doing a little debugging and setting allow_user_rules =1 seems to
indicate that it is picking up the preferences as if it were a text based
userfile..
Is the README still up to date in that the following will not work
or is there a problem with the implementation?
allow_user_rules set to 1 in local.cf
select * from userpref where username='user';
username|preference| value |
--------------------------------------------------------------
| user | describe | BODY_HAS_THIS_TEXT has alpha gamma |
| user | rawbody | BODY_HAS_THIS_TEXT /alpha gamma/i |
| user | score | BODY_HAS_THIS_TEXT 50.0 |
To see if it was picking it up I added a debug statment in Conf.pm
if (/^rawbody\s+(\S+)\s+(.*)$/) {
dbg("rawbody test: $1 $2 $type_rawbody_tests");
$self->add_test ($1, $2, $type_rawbody_tests); next;
}
debug: retrieving prefs for user from SQL server
debug: rawbody test: BODY_HAS_THIS_TEXT /alpha gamma/ 107 <---
debug: running header regexp tests; score so far=0
debug: running body-text per-line regexp tests; score so far=0
debug: running uri tests; score so far=0
debug: running raw-body-text per-line regexp tests; score so far=0.0
debug: running full-text regexp tests; score so far=0.0
It seems to pick up the simple regex from the sql database, however
it doesn't seem to score the text in the body of 'alpha gamma'
Is this just still not implemented for sql based userprefs or is there
an error in the implementation?
Thanks for any help in advance.
_______________________________________________________________
Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
