-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Matt Kettler wrote:
>>> Also, make sure that /var/.spamassassin has world rwx privileges. >>> >>> >> Doesn't this create a potential or real giant type security risk? > Well, regardless, the current user SA is running as has to be able to > read and write to the bayes DB. It has to write to the journal publish > atime updates at the very least. It will also want to be able to perform > autolearning, journal sync, and oportunistic expiry, unless you've > disabled those. > > Without that, bayes cannot function. > > Does it have a security risk? Yes, there's the possibility of someone > exploiting it for local-user privilege escalation. AFAIK, SA's bayes > code is very careful about how it accesses files to mitigate this risk, > but there's always room for mistakes. The point is that no one should be writing directly to /var/ like that, by most filesystem standards it should be /var/*something*/.spamassassin, maybe /var/lib/spamassassin, or /var/spool/spamassassin/ or since the user bound as user "elizabeth", maybe /home/elizabeth ?? but /var is not right. - -- David Morton Maia Mailguard - http://www.maiamailguard.com Morton Software Design and Consulting - http://www.dgrmm.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF3UHHUy30ODPkzl0RAsmrAKCaD5VxMMRa1XsUOeIBHC+qMgm9gACcCL9m 5T1UbPdX8AvTAyjEfTVPR7Q= =/0KG -----END PGP SIGNATURE-----
