On Wed, 31 Dec 2003, Robert Menschel wrote:

> Check
> http://www.spamassassin.org/doc/Mail_SpamAssassin_Conf.html#privileged%20settings
> specifically the allow_user_rules setting. If you don't allow user_prefs
> rules, then no spamd/spamc execution will use them.
>
> DE> I thought perhaps spamc/spamd wasn't looking at my user_prefs, but
> DE> this doesn't seem to the problem -- my whitelist and blacklist entries
> DE> still are working as always.  The only flags to spamd are -d and -L,
> DE> so I don't see a problem there.
>
> user_prefs is referenced (when spamd/spamc is working properly) for score
> adjustments, parameter settings (bayes on/off), blacklists, and
> whitelists. Rules defined in user_prefs are ignored, however, unless
> a) allow_user_rules is turned on, or
> b) you run SA directly as that user, not through spamd/spamc

I understand now.  I missed the distinction between the global and
privileged settings.

It's a shame that user rules are disabled for security reasons, but as
long as there are the eval:  rules or rules that permit arbitrary
expressions, there's a potential security hole.

Would this hole go away if just these rules were prohibited in the
user_prefs file?  Could the allow_user_rules option be augmented with
an option to allow only user rules that have a particular form (i.e.
no eval rules, and no rules with arbitrary expressions)?   I can get
by with just ordinary regular expressions.

Thanks,
        -Dan



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Reply via email to