Hi all, long-time SpamAssassin user. I released an open-source web-based
training script for CPanel hosting users to train spam/ham based on
various configurations, and it's been very well received with a handful
of CPanel-based hosting groups that I've shown it to. Check out
http://iandouglas.com/page.php?3 if anyone's interested.
Introductions aside, I shut down my own hosting business in 2004 after 7
successful years, and now host a handful of domains with various
CPanel-based hosting groups. I found this wiki reference today after
searching around for how to let users write their own custom SA rules
within user_prefs:
http://wiki.apache.org/spamassassin/WritingRules
"Note: if you use spamd, rules placed in user_prefs will be IGNORED by
default. If you add the allow_user_rules option to your local.cf you can
get spamd to honor them. However, before you enable it, you should know
that this is disabled by default for security reasons. In theory a
malicious local user might be able to exploit spamd with a clever regex
and gain root permissions. I know of no specific vulnerabilities of this
type in spamassassin at this time, but it is a possibility. I'd only
turn this on if you trust your local users not to try to hack root."
I was curious whether the security implications as mentioned in the wiki
page referenced above have been addressed at all, and whether or not it
would be considered relatively 'safe' yet to let users write their own
SA rules within their user_prefs, or perhaps a compromise of listing the
individual users within the local.cf file instead of a global "let
everyone do it" setting?
Thanks for any thoughts,
-id
