On Tue, Oct 19, 2004 at 02:40:39PM +0200, Thomas Zehetbauer wrote: > > When run as root, it can setuid to the user running spamc. So that's > > actually better. > No, it sets it's user-id to the user supplied over an untrusted network > connection. No authentication is attempted. Hmmm, good point. The documentation says "the user running spamc", but you're right, that's not strictly true. This really should be clarified in the spamassassin documentation. spamd *does* have the option to use ident, though, which would be sigificantly better. (Since it *is* only bound to localhost, one would hope one can trust the identd on the local machine.) However, this requires a command line option that the Fedora package doesn't appear to use, and more importantly, it requires the Net::Ident perl module, and perhaps even more importantly, it requires the identd to tell the truth, at least to daemons running locally. I think there's a pretty good argument that the FC spamassassin package should be changed to use this; filed as bug #136367. <https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136367> > > Everyone on the local host. And that's who it's designed for; not sure > > this is a problem. > No, linux uses the 'weak end host' model and spamd is not given the -A > option so everyone who can send packages to 127.0.0.1 on any of the > hosts network interfaces can connect. See below. > > > Binding to 127.0.0.1 is not secure as linux by default uses the 'weak > > > end host' model. > > Except Fedora, as Red Hat Linux before it, turns on source route > > verification by default. (Look at /etc/sysctl.conf.) So, it doesn't. > I doubt this can really prevent this type of attack but rather restrict > them to the local network but I would appreciate some insight. Source route verification means that packets are discarded if they don't arrive via the expected interface -- in other words, Linux isn't restricted to the "weak end host" model, and Fedora doesn't use it. I understand that there is a problem, but it *is* constrained to localhost. -- Matthew Miller mattdm@xxxxxxxxxx <http://www.mattdm.org/> Boston University Linux ------> <http://linux.bu.edu/>
