secure use of spamd running as root

[Marc Horowitz <ma...@mit.edu>]

The README.spamd (on my debian box) points out all the caveats of
running spamd as root if users can connect to it.  However, there's
99% of a reasonable mechanism to solve this problem already in place.
spamd and spamc can use a unix domain socket.  If I were to make the
socket owned by a particular user (cyrus is convenient for me) and
mode 600, I could run spamd as root, run spamc with the -u flag as
user cyrus (from postfix, in my setup), and have reasonable security
guarantees.

However, when spamd starts up, it unlinks the existing unix domain
socket, creates a new one as the spamd user, and then chmods it to
666!  I think it would be very useful in a future version of spamd to
have new flags to set the socket owner and mode (I propose
--socketowner, --socketgroup, and --socketmode).  In fact, I've
appended a patch which implements this.

(I'm not on this list, but I'll try to remember to check the archives
for responses, or you can cc: me directly.)

                Marc

--- /usr/sbin/spamd.dpkg-orig	2004-02-13 22:54:36.000000000 -0500
+++ /usr/sbin/spamd	2004-02-13 23:09:13.000000000 -0500
@@ -107,6 +107,9 @@
 Getopt::Long::Configure ("bundling");
 GetOptions(
   'socketpath=s'                => \$opt{'socketpath'},
+  'socketowner=s'               => \$opt{'socketowner'},
+  'socketgroup=s'               => \$opt{'socketgroup'},
+  'socketmode=s'                => \$opt{'socketmode'},
   'auto-whitelist|whitelist|a'  => \$opt{'auto-whitelist'},
   'create-prefs!'               => \$opt{'create-prefs'},
     'c'                         => \$opt{'create-prefs'},
@@ -187,6 +190,15 @@
     "ERROR: --socketpath mutually exclusive with --allowed-ip/--ssl/--port params");
 }
 
+if ( ! defined $opt{'socketpath'}
+     and ( defined $opt{'socketowner'}
+	   or defined $opt{'socketgroup'}
+	   or defined $opt{'socketmode'} ))
+{
+  pod2usage(-exitval => $resphash{'EX_USAGE'}, -verbose => 0, -message =>
+    "ERROR: --socketowner/--socketmode/--socketgroup params may only be used with --socketpath");
+}
+
 
 # These can be changed on command line with -A flag
 # but only if we're not using UNIX domain sockets
@@ -321,6 +333,9 @@
 my $server;
 if ( $opt{'socketpath'} ) {
   my $path = $opt{'socketpath'};
+  my $owner = $opt{'socketowner'} || -1;
+  my $group = $opt{'socketgroup'} || -1;
+  my $mode = $opt{'socketmode'} || "0666";
 
   #---------------------------------------------------------------------
   # see if the socket is in use: if we connect to the current socket, it
@@ -349,7 +364,26 @@
                                  Listen => SOMAXCONN
   ) || die "Could not create UNIX socket on $path: $! $@\n";
 
-  chmod 0666, $path;          # make sure everybody can talk to it
+  if ( $owner !~ /^-?\d+$/ ) {
+      $owner = (getpwnam($owner))[2];
+      if ( ! defined $owner
+	   or $owner !~ /^-?\d+$/ ) {
+	  die "fatal: socketowner value \"$opt{'socketowner'}\" is not a valid username or uid\n";
+      }
+  }
+  
+  if ( $group !~ /^-?\d+$/ ) {
+      $group = (getgrnam($group))[2];
+      if ( ! defined $group
+	   or $group !~ /^-?\d+$/ ) {
+	  die "fatal: socketgroup value \"$opt{'socketgroup'}\" is not a valid groupname or gid\n";
+      }
+  }
+
+  chown $owner, $group, $path
+      || die "Could not change ownership of socket to $owner:$group\n";
+  chmod oct($mode), $path
+      || die "Could not change mode of socket to $mode\n";
 }
 elsif ($opt{'ssl'}) {
   $server = new IO::Socket::SSL(LocalAddr => $addr,

Re: Auto Whitelist Question

[Sidney Markowitz <si...@sidney.com>]

Richard Ozer wrote:

> How do I go about removing entries from the
> auto-whitelist without having a mail message

1. Read the spamassassin man page which describes the option
  --remove-addr-from-whitelist

2. This mailing list is for developers to discuss things related to 
their ongoing development of SpamAssassin. Bug reports should be entered 
in the Bugzilla database. Questions about usage of spamassassin should 
be sent to the spamassassin-users mailing list. Preferably after reading 
the man page and FAQ Wiki at http://wiki.spamassassin.org/

  -- sidney

Auto Whitelist Question

[Richard Ozer <ro...@ois-online.com>]

I have a couple of entries in my auto-whitelist that are incorrect; mainly
as a result of running some tests on spamassassin.  How do I go about
removing entries from the auto-whitelist without having a mail message
handy.

Related to this question is how do I reset the auto whitelist to start
fresh?  Just delete the files in the auto-whitelist directory?

RO

Re: secure use of spamd running as root

[Sidney Markowitz <si...@sidney.com>]

Marc Horowitz wrote:
> (I'm not on this list, but I'll try to remember to check
> the archives for responses, or you can cc: me directly.)

Marc, open up a ticket on Bugzilla and submit that patch as an 
attachment using the web interface.

That will cause you to be Cc'd in an email automatically whenever there 
is any activity or discussion on the issue, and it will make sure that 
it never gets lost in the pile of discussion as it might as just a post 
to the mailing list.

I'm not one of the core developers either, and found that when I have 
had something to contribute doing it through Bugzilla works really well.

  -- sidney