On Wed, Dec 11, 2002 at 02:43:51PM -0800, Victor O'Rear wrote:
> OK, is there a tutorial so the ISP can enable user_rules without opening the
> security hole mentioned in the below?
> 
> Greetings,  I'm sorry, but upon further review of this we cannot turn on
> user_prefs.  From
> http://www.cts.wustl.edu/cts/help/Mail_SpamAssassin_Conf.html
> allow_user_rules { 0 | 1 } (default: 0)  This setting allows users to create
> rules (and only rules) in their user_prefs files for use with spamd. It
> defaults to off, because this could be a severe security hole. It may be
> possible for users to gain root level access if spamd is run as root. It is
> NOT a good idea, unless you have some other way of ensuring that users'
> tests are safe. Don't use this unless you are certain you know what you are
> doing.   As you can see, its a security hole.
I've thought about this, and it seems like it _might_ be acceptable
under certain circumstances. The perlre manpage (in perl 5.8) gives
conditions where /(?{ system ("do what I want") })/ would not work,
but I think we need to look more carefully at how to minimise the
security risk.

-- 
Duncan Findlay


-------------------------------------------------------
This sf.net email is sponsored by:
With Great Power, Comes Great Responsibility 
Learn to use your power at OSDN's High Performance Computing Channel
http://hpc.devchannel.org/
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Reply via email to