Re: spamassassin a possible security risk?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, 2004-10-18 at 22:25 -0400, Matthew Miller wrote:
> When run as root, it can setuid to the user running spamc. So that's
> actually better.

No, it sets it's user-id to the user supplied over an untrusted network
connection. No authentication is attempted.

> Everyone on the local host. And that's who it's designed for; not sure this
> is a problem.

No, linux uses the 'weak end host' model and spamd is not given the -A
option so everyone who can send packages to 127.0.0.1 on any of the
hosts network interfaces can connect.

> > 1.2) trying to parse, lookup and impersonate an untrusted username
> how's that?

spamd runs as root while accepting and trying to read, parse, lookup and
impersonate the user given over an untrusted network connection.
PROCESS SPAMC/1.3\r\nUser: thomasz\r\nContent-length: 5342\r\n\r\n

> > 1.3.1) using system resources
> as does anything the user runs. But if if the daemon can switch userids, I
> presume you can then account this resource use to that user.

Possibly accounting the resources to the wrong user, see above.

> > 2) start spamd as user
> > 2.1) allowing everyone to connect
> > 2.2) trying to use the configuration of an untrusted user
> > 2.3) using system resources
> > 2.4) possibly executing external applications and accessing network
> >      accounts
> Anyone can write a trivial little daemon to do this. You can do it with
> httpd, if you want. You can do it from the command line with 'nc', or you
> could use zsh shell builtins.

Sure, but in this case the user should be aware of what he is doing and
the risks involved. spamd on the other hand is silently launched when
the user clicks on 'Junk' in Ximian Evolution.

> > Binding to 127.0.0.1 is not secure as linux by default uses the 'weak
> > end host' model.
> Except Fedora, as Red Hat Linux before it, turns on source route
> verification by default. (Look at /etc/sysctl.conf.) So, it doesn't.

I doubt this can really prevent this type of attack but rather restrict
them to the local network but I would appreciate some insight.

Tom

-- 
  T h o m a s   Z e h e t b a u e r   ( TZ251 )
  PGP encrypted mail preferred - KeyID 96FFCB89
      finger thomasz@xxxxxxxxxxxxxx for key

Press any key to continue or any other key to quit.

Attachment: signature.asc
Description: This is a digitally signed message part

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux