David Morton wrote: > Matt Kettler wrote: > > >>> Also, make sure that /var/.spamassassin has world rwx privileges. > >>> > >>> > >> Doesn't this create a potential or real giant type security risk? > > Well, regardless, the current user SA is running as has to be able to > > read and write to the bayes DB. It has to write to the journal publish > > atime updates at the very least. It will also want to be able to perform > > autolearning, journal sync, and oportunistic expiry, unless you've > > disabled those. > > > Without that, bayes cannot function. > > > Does it have a security risk? Yes, there's the possibility of someone > > exploiting it for local-user privilege escalation. AFAIK, SA's bayes > > code is very careful about how it accesses files to mitigate this risk, > > but there's always room for mistakes. > > The point is that no one should be writing directly to /var/ like > that, by most > filesystem standards it should be /var/*something*/.spamassassin, maybe > /var/lib/spamassassin, or /var/spool/spamassassin/ or since the user > bound as > user "elizabeth", maybe /home/elizabeth ?? but /var is not right. > > Erm, you do realize .spamassassin is a DIRECTORY, not a file, right?
How is /var/*something*/.spamassassin/bayes_toks different from /var/.spamassassin/bayes_toks? I'd agree with you on style points, but from a security perspective there's no difference.
