On 02/16/2012 12:35 PM, Stevan Bajić wrote: > On 16.02.2012 18:31, Nathanael D. Noblet wrote: >> On 02/16/2012 10:04 AM, Stevan Bajić wrote: >>> On Thu, 16 Feb 2012 09:36:48 -0700, Nathanael D. Noblet wrote: >>>> Hello, >>>> >>> Hello Nathanael, >>> >>> >>>> So I just noticed that dspam in daemon mode in fedora fails to >>>> start >>>> by default because it attempts to bind to port 24 as an unprivileged >>>> user. I'm just verifying that this is intended behaviour? I would >>>> normally expect dspam to bind to port 24, then drop privs. Am I >>>> mistaken >>>> >>> you are mistaken. >> >> Why doesn't DSPAM act in this way? > It is coded that way. > >> Many daemon's I know do this like apache, postfix etc... don't they? >> > Yes they do. They start first as a privileged user and start whatever is > needed under another (less privileged) user. > >> >>>> or is this a bug? >>>> >>> It is not a bug since DSPAM never did that in the past. >>> >>> >> >> So is DSPAM not intended to run as an unprivileged user? > You have to make a difference here. > The client can run under whatever user you like. > The daemon can as well run under whatever user you like BUT if you want > to bind to an TCP/IP port below 1024 then you need to use a privileged user. > >> The default install is to bind to port 24. > Is this the default? I have to look. I usually run the daemon on a file > socket where I don't have to care about privileged or not privileged user. > >> Should I just patch the default config to use a port> 1024? >> > Depends. If some one wants to run DSPAM in relay mode then I don't see a > way around running as a privileged user or at least an user that can run > in listen mode on port 24 or 25. If all what you want is to run DSPAM as > daemon then I really, really, really would suggest to switch to file > sockets since this is saving you a lot of trouble and on top makes > communication slightly faster than using TCP/IP sockets.
Sure, however if you do dspam --daemon, by default it tries to listen to tcp port 24. So the default config file doesn't work if using unprivileged user. Now part of that is how I set it to run (as dspam user instead of root), though part of that made me thought it was dropping privs to do it. So in my case I guess I'll patch the default config to use port 10024... > >> Even if it isn't a bug persay as dspam hasn't functioned this way in >> the past.. should it be a requested feature? >> > My personal answer? YES! > It's a shame that we have not implemented that. We can count ourself > lucky that in all those years no one has found an exploitable issue in > DSPAM. This might be luck but could be as well a sign of good code > quality. Anyway... whatever the reason is... running as unprivileged > user is way better than hoping no one finds an issue or expecting to > have still luck in the future regarding that issue. Would a patch to drop privileges be accepted? I'm thinking that I'd rather to that really and have it upstream than patch the config. From your knowledge of dspam... would this be a significant piece of work? I can only really see it being useful in the daemon mode. Thoughts? -- Nathanael d. Noblet t 403.875.4613 ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ Dspam-user mailing list Dspam-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspam-user
