[Bug 1442087] Re: don't run as root by default
Tim Kuijsten
1442087 at bugs.launchpad.net
Mon Apr 13 11:29:43 UTC 2015
This user switching is for reading per-user configurations only and I
think can be mitigated by making the per-user config world readable.
Furthermore from the README.spamd.gz you've mentioned "If a fault is
found in spamd or spamassassin code, any third party linked-libraries or
imported perl modules there is the potential for abuse of both the
running uid of spamd, and the uid of the username supplied by spamc (and
this could be any user)."
I'm not sure how many LOC but there is quite a slew of extra code with
all the plugins that ship with SA. I question if all this code is
maintained with the same attention and security awareness as other parts
of the mail stack. I know all other parts are not executed as root. Of
course statistics wouldn't have hurt ;-).
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to spamassassin in Ubuntu.
https://bugs.launchpad.net/bugs/1442087
Title:
don't run as root by default
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/spamassassin/+bug/1442087/+subscriptions
More information about the Ubuntu-server-bugs
mailing list