On Wed, Dec 11, 2002 at 02:43:51PM -0800, Victor O'Rear wrote: > OK, is there a tutorial so the ISP can enable user_rules without opening the > security hole mentioned in the below? > > Greetings, I'm sorry, but upon further review of this we cannot turn on > user_prefs. From > http://www.cts.wustl.edu/cts/help/Mail_SpamAssassin_Conf.html > allow_user_rules { 0 | 1 } (default: 0) This setting allows users to create > rules (and only rules) in their user_prefs files for use with spamd. It > defaults to off, because this could be a severe security hole. It may be > possible for users to gain root level access if spamd is run as root. It is > NOT a good idea, unless you have some other way of ensuring that users' > tests are safe. Don't use this unless you are certain you know what you are > doing. As you can see, its a security hole.
I've thought about this, and it seems like it _might_ be acceptable under certain circumstances. The perlre manpage (in perl 5.8) gives conditions where /(?{ system ("do what I want") })/ would not work, but I think we need to look more carefully at how to minimise the security risk. -- Duncan Findlay ------------------------------------------------------- This sf.net email is sponsored by: With Great Power, Comes Great Responsibility Learn to use your power at OSDN's High Performance Computing Channel http://hpc.devchannel.org/ _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk