On Sat, 24 May 2014 00:51:38 +0200 Karsten Bräckelmann <guent...@rudersport.de> wrote:
Ian> I mostly get the rest of your answer, but this is incorrect. Same Ian> user, I'm 100% sure. Unless you count spamd checking on my behalf Ian> as different user - do you? Karsten> Yes. Karsten> user_prefs are per user. They are read by the spamd child Karsten> process for each and every message processed. If the spamd Karsten> daemon runs as root, the children setuid to the spamc calling Karsten> user (or given -u argument), to determine which user_prefs to Karsten> use. In your case the spamd master process already runs as user Karsten> spamd and the setuid step is omitted. The user_prefs are still Karsten> based upon the user the spamd child runs as. Karsten> Look at it this way: Both the spamd master process as well as Karsten> its children are running as an unprivileged, dedicated Karsten> user. You don't expect that user to have access to your actual Karsten> mail receiving account, do you? Karsten> My wording of "user receiving mail" should have been Karsten> "processing user". I was a little sloppy, because your OP did Karsten> not mention spamd. Given details are "my user_prefs", logs Karsten> showing a "user" named user, and mentioning spamc being called Karsten> via procmail. I apologize for muddying the waters more than necessary. The log was altered - "user" is in fact my normal user ID. Karsten> In your case of a dedicated spamd user, an attacker able to Karsten> load a plugin even potentially can access *any* other user's Karsten> mail while being processed by SA. Karsten> Again, see the Administrator Settings section in M::SA::Conf. There is no dedicated spamd user - spamd runs as root: [11+0]~# ps lw 13558 13560 13561 F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND 1 0 13558 1 20 0 46656 40888 - Ss ? 0:04 /usr/sbin/spamd --create-prefs --max-children 5 --helper-home-d 5 0 13560 13558 20 0 62016 56908 - S ? 1:11 spamd child 5 0 13561 13558 20 0 51800 46716 - S ? 0:04 spamd child (Sorry if this is also confusion created by my obfuscation of the log.) According to the docs, this means spamd _does_ change identity to the originator when processing each spamc request. -- Please *no* private copies of mailing list or newsgroup messages.
