ian douglas wrote: > > "Note: if you use spamd, rules placed in user_prefs will be IGNORED by > default. If you add the allow_user_rules option to your local.cf you > can get spamd to honor them. However, before you enable it, you should > know that this is disabled by default for security reasons. In theory > a malicious local user might be able to exploit spamd with a clever > regex and gain root permissions. I know of no specific vulnerabilities > of this type in spamassassin at this time, but it is a possibility. > I'd only turn this on if you trust your local users not to try to hack > root." > > > I was curious whether the security implications as mentioned in the > wiki page referenced above have been addressed at all, and whether or > not it would be considered relatively 'safe' yet to let users write > their own SA rules within their user_prefs, or perhaps a compromise of > listing the individual users within the local.cf file instead of a > global "let everyone do it" setting? Realistically, it's pretty safe. I wrote that quite a long time ago (back in SA 2.43 days) I still know of no attack that would exploit this.
Really this isn't about an real or known threat, it's about the fact that it's difficult to secure regular expressions in all possible cases. Lots of evil tricks can be done to create a regex that winds up invoking a shell script, etc. This is simply an "extra blanket" of security against these kinds of attacks. Over the years, spamd has also picked up an additional defense against this attack. It *never* scans mail while running as root, and if for some reason it is still running as root, it will setuid itself to nobody. You can't exploit spamd for root access through this vector unless it executes a poison regex while running as root. I would still advise keeping it off if you have highly untrustworthy users (ie: you're at defcon), especially if they have shell access too. However, if your users are just doing web configs, have no shell login, and aren't a particularly motley crew, you're probably safe enabling it. In short: keeping it on offers you extra security, but there are other mechanisms in place.
