The README.spamd (on my debian box) points out all the caveats of
running spamd as root if users can connect to it. However, there's
99% of a reasonable mechanism to solve this problem already in place.
spamd and spamc can use a unix domain socket. If I were to make the
socket owned by a particular user (cyrus is convenient for me) and
mode 600, I could run spamd as root, run spamc with the -u flag as
user cyrus (from postfix, in my setup), and have reasonable security
guarantees.
However, when spamd starts up, it unlinks the existing unix domain
socket, creates a new one as the spamd user, and then chmods it to
666! I think it would be very useful in a future version of spamd to
have new flags to set the socket owner and mode (I propose
--socketowner, --socketgroup, and --socketmode). In fact, I've
appended a patch which implements this.
(I'm not on this list, but I'll try to remember to check the archives
for responses, or you can cc: me directly.)
Marc
--- /usr/sbin/spamd.dpkg-orig 2004-02-13 22:54:36.000000000 -0500
+++ /usr/sbin/spamd 2004-02-13 23:09:13.000000000 -0500
@@ -107,6 +107,9 @@
Getopt::Long::Configure ("bundling");
GetOptions(
'socketpath=s' => \$opt{'socketpath'},
+ 'socketowner=s' => \$opt{'socketowner'},
+ 'socketgroup=s' => \$opt{'socketgroup'},
+ 'socketmode=s' => \$opt{'socketmode'},
'auto-whitelist|whitelist|a' => \$opt{'auto-whitelist'},
'create-prefs!' => \$opt{'create-prefs'},
'c' => \$opt{'create-prefs'},
@@ -187,6 +190,15 @@
"ERROR: --socketpath mutually exclusive with --allowed-ip/--ssl/--port
params");
}
+if ( ! defined $opt{'socketpath'}
+ and ( defined $opt{'socketowner'}
+ or defined $opt{'socketgroup'}
+ or defined $opt{'socketmode'} ))
+{
+ pod2usage(-exitval => $resphash{'EX_USAGE'}, -verbose => 0, -message =>
+ "ERROR: --socketowner/--socketmode/--socketgroup params may only be used
with --socketpath");
+}
+
# These can be changed on command line with -A flag
# but only if we're not using UNIX domain sockets
@@ -321,6 +333,9 @@
my $server;
if ( $opt{'socketpath'} ) {
my $path = $opt{'socketpath'};
+ my $owner = $opt{'socketowner'} || -1;
+ my $group = $opt{'socketgroup'} || -1;
+ my $mode = $opt{'socketmode'} || "0666";
#---------------------------------------------------------------------
# see if the socket is in use: if we connect to the current socket, it
@@ -349,7 +364,26 @@
Listen => SOMAXCONN
) || die "Could not create UNIX socket on $path: $! [EMAIL PROTECTED]";
- chmod 0666, $path; # make sure everybody can talk to it
+ if ( $owner !~ /^-?\d+$/ ) {
+ $owner = (getpwnam($owner))[2];
+ if ( ! defined $owner
+ or $owner !~ /^-?\d+$/ ) {
+ die "fatal: socketowner value \"$opt{'socketowner'}\" is not a valid
username or uid\n";
+ }
+ }
+
+ if ( $group !~ /^-?\d+$/ ) {
+ $group = (getgrnam($group))[2];
+ if ( ! defined $group
+ or $group !~ /^-?\d+$/ ) {
+ die "fatal: socketgroup value \"$opt{'socketgroup'}\" is not a valid
groupname or gid\n";
+ }
+ }
+
+ chown $owner, $group, $path
+ || die "Could not change ownership of socket to $owner:$group\n";
+ chmod oct($mode), $path
+ || die "Could not change mode of socket to $mode\n";
}
elsif ($opt{'ssl'}) {
$server = new IO::Socket::SSL(LocalAddr => $addr,
