Although I know of no exploit at the moment I find it quite risky that
Fedora currently comes configured to
1) run spamd as root
1.1) allowing everyone to connect
1.2) trying to parse, lookup and impersonate an untrusted username
1.3) scanning e-mail messages on behalf of that user
1.3.1) using system resources
1.3.2) possibly executing external applications and accessing network
accounts
2) start spamd as user
2.1) allowing everyone to connect
2.2) trying to use the configuration of an untrusted user
2.3) using system resources
2.4) possibly executing external applications and accessing network
accounts
Binding to 127.0.0.1 is not secure as linux by default uses the 'weak
end host' model.
Evolution can be configured to not start/use spamd/spamc but this must
be changed using gconf-edit (/apps/evolution/mail/junk/sa/use_daemon).
Tom
--
T h o m a s Z e h e t b a u e r ( TZ251 )
PGP encrypted mail preferred - KeyID 96FFCB89
finger thomasz@xxxxxxxxxxxxxx for key
Prohibiting cryptography to prevent terrorism is as meaningful as
...prohibiting mumming to prevent bank robbery!
Attachment:
signature.asc
Description: This is a digitally signed message part
