On Tue, Oct 19, 2004 at 03:42:16AM +0200, Thomas Zehetbauer wrote: > Although I know of no exploit at the moment I find it quite risky that > Fedora currently comes configured to > 1) run spamd as root When run as root, it can setuid to the user running spamc. So that's actually better. > 1.1) allowing everyone to connect Everyone on the local host. And that's who it's designed for; not sure this is a problem. > 1.2) trying to parse, lookup and impersonate an untrusted username how's that? > 1.3) scanning e-mail messages on behalf of that user right.... that's what it does.... > 1.3.1) using system resources as does anything the user runs. But if if the daemon can switch userids, I presume you can then account this resource use to that user. > 1.3.2) possibly executing external applications and accessing network > accounts Depending on the configuration, yeah. Although what it does on the network is somewhat limited, and presumably reasonably checked for security. Tricking spamassassin into doing something Bad on the network seems like a valid concern, though. > 2) start spamd as user > 2.1) allowing everyone to connect > 2.2) trying to use the configuration of an untrusted user > 2.3) using system resources > 2.4) possibly executing external applications and accessing network > accounts Anyone can write a trivial little daemon to do this. You can do it with httpd, if you want. You can do it from the command line with 'nc', or you could use zsh shell builtins. > Binding to 127.0.0.1 is not secure as linux by default uses the 'weak > end host' model. Except Fedora, as Red Hat Linux before it, turns on source route verification by default. (Look at /etc/sysctl.conf.) So, it doesn't. -- Matthew Miller mattdm@xxxxxxxxxx <http://www.mattdm.org/> Boston University Linux ------> <http://linux.bu.edu/>
