Re: Insecure dependency in eval while running setuid [DOMAIN-OK]

[Vicki Brown <vl...@cfcl.com>]

At 08:53 -0500 11/15/2004, Matt Kettler wrote:
>1) are you SURE you want allow_user_rules set?

positive.

>Unless you trust all your  users this can be a bit risky.

I trust all my users.
Or, to put it more specifically, I trust the three or four who might bother
to edit their files and the rest are all me anyway as far as that goes.

>Unless you're going to put body, rawbody,  header or meta statements in
>user_prefs,

body and header, yep.
That's precisely why I have allow_user_rules

>2) I'd check for malformed body rules. Run spamassassin --lint to see if it
>can help you. Line 1669 of PerMsgStatus is where SA is executing the
>expressions for body rules.

Did that. I got a bunch of "score for a rule that doesn't exist" errors.
Nothing that looked serious.

>I'd check for add-on rules that have unescaped
>punctuation (ie > instead of \>) in /etc/mail/spamassassin/*.cf and in
>user_prefs. Most likely it's a typo.

yeah, that's what I figured, although I haven't found it.
I did toss a couple of rules.

>
>However, it's going to be a body rule that's the troublemaker.

-- 
Vicki Brown     ZZZ                Journeyman Sourceror:
SF Bay Area, CA    zz  |\     _,,,---,,_      Scripts & Philtres
http://www.cfcl.com zz /,`.-'`'    -.  ;-;;,_Code, Doc, Process, QA
http://cfcl.com/vlb   |,4-  ) )-,_. ,\ ( `'-'Perl, Unix, Mac OS X, WWW
____________________ '---''(_/--'  `-'\_)  ___________________________