Debian Bug report logs - #486914
Default: spamd runs as root (uid/gid 0)

version graph

Package: spamassassin; Maintainer for spamassassin is Noah Meyerhans <noahm@debian.org>; Source for spamassassin is src:spamassassin.

Reported by: Jan Luehr <jluehr@gmx.net>

Date: Wed, 18 Jun 2008 22:00:04 UTC

Severity: normal

Found in version 3.1.7

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Duncan Findlay <duncf@debian.org>:
Bug#486914; Package spamassassin. Full text and rfc822 format available.

Acknowledgement sent to Jan Luehr <jluehr@gmx.net>:
New Bug report received and forwarded. Copy sent to Duncan Findlay <duncf@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Jan Luehr <jluehr@gmx.net>
To: submit@bugs.debian.org
Subject: Default: spamd runs as root (uid/gid 0)
Date: Wed, 18 Jun 2008 23:57:03 +0200
package: spamassassin
version: 3.1.7

Helllo,

if not changed by hand, spamd will be running as root in default installation.
This can be changed by editing  /etc/default/spamassassin by hand.
Change:
OPTIONS="--create-prefs --max-children 5 --helper-home-dir"
to: 
OPTIONS="--create-prefs --max-children 5 --helper-home-dir -u Debian-exim -g 
Debian-exim"
If using exim.
Imho this default is risky since spamd handels untrusted data and 
MTA-User-privileges ought to be sufficient in many common cases ...

Keep smiling
yanosz




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#486914; Package spamassassin. (Sun, 10 Jun 2012 17:48:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Noah Meyerhans <noahm@debian.org>:
Extra info received and forwarded to list. (Sun, 10 Jun 2012 17:48:03 GMT) Full text and rfc822 format available.

Message #10 received at 486914@bugs.debian.org (full text, mbox):

From: Noah Meyerhans <noahm@debian.org>
To: Jan Luehr <jluehr@gmx.net>, 486914@bugs.debian.org
Subject: Re: Bug#486914: Default: spamd runs as root (uid/gid 0)
Date: Sun, 10 Jun 2012 10:16:12 -0700
[Message part 1 (text/plain, inline)]
On Wed, Jun 18, 2008 at 11:57:03PM +0200, Jan Luehr wrote:
> if not changed by hand, spamd will be running as root in default installation.
> This can be changed by editing  /etc/default/spamassassin by hand.
> Change:
> OPTIONS="--create-prefs --max-children 5 --helper-home-dir"
> to: 
> OPTIONS="--create-prefs --max-children 5 --helper-home-dir -u Debian-exim -g 
> Debian-exim"
> If using exim.
> Imho this default is risky since spamd handels untrusted data and 
> MTA-User-privileges ought to be sufficient in many common cases ...

In order for user preferences and Bayesian scoring to work, spamd needs
to be able to 'su' to the identity of the mail recipient. This is
something most people expect to work by default, so spamd runs as root
by defaulį¹«.

A newer version of spamassassin (3.3.2-3, probably) will introduce a
debian-spamd user, and it's safe to run spamd as that user if desired.

noah

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 20:34:37 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.