On Wed, 31 Dec 2003, Robert Menschel wrote: > Check > http://www.spamassassin.org/doc/Mail_SpamAssassin_Conf.html#privileged%20settings > specifically the allow_user_rules setting. If you don't allow user_prefs > rules, then no spamd/spamc execution will use them. > > DE> I thought perhaps spamc/spamd wasn't looking at my user_prefs, but > DE> this doesn't seem to the problem -- my whitelist and blacklist entries > DE> still are working as always. The only flags to spamd are -d and -L, > DE> so I don't see a problem there. > > user_prefs is referenced (when spamd/spamc is working properly) for score > adjustments, parameter settings (bayes on/off), blacklists, and > whitelists. Rules defined in user_prefs are ignored, however, unless > a) allow_user_rules is turned on, or > b) you run SA directly as that user, not through spamd/spamc
I understand now. I missed the distinction between the global and privileged settings. It's a shame that user rules are disabled for security reasons, but as long as there are the eval: rules or rules that permit arbitrary expressions, there's a potential security hole. Would this hole go away if just these rules were prohibited in the user_prefs file? Could the allow_user_rules option be augmented with an option to allow only user rules that have a particular form (i.e. no eval rules, and no rules with arbitrary expressions)? I can get by with just ordinary regular expressions. Thanks, -Dan ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk