You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Vicki Brown <vl...@cfcl.com> on 2004/11/13 18:51:04 UTC
Insecure dependency in eval while running setuid
I'm getting this error in the spamd logfile:
2004-11-13 17:32:05 [54661] i: processing message
<3698158.1100366389516.JavaMai
l.root@z.excellzone.com> for vlb:1001.
2004-11-13 17:32:05 [54661] i: error: Insecure dependency in eval while
running
setuid at
/usr/local/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm
line 1669, <GEN12> line 37._ No such file or directory, continuing
I have upgraded to SA 3.0.1
spamd is running as
spamd -d -c
/etc/mail/spamassassin/local.cf contains
allow_user_rules 1
my user prefs file contains
use_terse_report 1
ok_languages en
report_safe 0
what problems should I be looking for?
--
Vicki Brown ZZZ Journeyman Sourceror:
SF Bay Area, CA zz |\ _,,,---,,_ Scripts & Philtres
http://www.cfcl.com zz /,`.-'`' -. ;-;;,_Code, Doc, Process, QA
http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-'Perl, Unix, Mac OS X, WWW
____________________ '---''(_/--' `-'\_) ___________________________
Re: Insecure dependency in eval while running setuid [DOMAIN-OK]
Posted by Vicki Brown <vl...@cfcl.com>.
At 08:53 -0500 11/15/2004, Matt Kettler wrote:
>1) are you SURE you want allow_user_rules set?
positive.
>Unless you trust all your users this can be a bit risky.
I trust all my users.
Or, to put it more specifically, I trust the three or four who might bother
to edit their files and the rest are all me anyway as far as that goes.
>Unless you're going to put body, rawbody, header or meta statements in
>user_prefs,
body and header, yep.
That's precisely why I have allow_user_rules
>2) I'd check for malformed body rules. Run spamassassin --lint to see if it
>can help you. Line 1669 of PerMsgStatus is where SA is executing the
>expressions for body rules.
Did that. I got a bunch of "score for a rule that doesn't exist" errors.
Nothing that looked serious.
>I'd check for add-on rules that have unescaped
>punctuation (ie > instead of \>) in /etc/mail/spamassassin/*.cf and in
>user_prefs. Most likely it's a typo.
yeah, that's what I figured, although I haven't found it.
I did toss a couple of rules.
>
>However, it's going to be a body rule that's the troublemaker.
--
Vicki Brown ZZZ Journeyman Sourceror:
SF Bay Area, CA zz |\ _,,,---,,_ Scripts & Philtres
http://www.cfcl.com zz /,`.-'`' -. ;-;;,_Code, Doc, Process, QA
http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-'Perl, Unix, Mac OS X, WWW
____________________ '---''(_/--' `-'\_) ___________________________
Re: Insecure dependency in eval while running setuid
Posted by Matt Kettler <mk...@comcast.net>.
At 09:51 AM 11/13/2004 -0800, Vicki Brown wrote:
>2004-11-13 17:32:05 [54661] i: error: Insecure dependency in eval while
>running
>setuid at
>/usr/local/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm
> line 1669, <GEN12> line 37._ No such file or directory, continuing
>
>I have upgraded to SA 3.0.1
<snip>
>what problems should I be looking for?
1) are you SURE you want allow_user_rules set? Unless you trust all your
users this can be a bit risky. Unless you're going to put body, rawbody,
header or meta statements in user_prefs, unset that. (score statements are
fine)
2) I'd check for malformed body rules. Run spamassassin --lint to see if it
can help you. Line 1669 of PerMsgStatus is where SA is executing the
expressions for body rules.
No such file or directory is slightly concerning message here, as it
implies the regex is either intentionally or accidentally trying to access
files outside of SA. I'd check for add-on rules that have unescaped
punctuation (ie > instead of \>) in /etc/mail/spamassassin/*.cf and in
user_prefs. Most likely it's a typo.
However, it's going to be a body rule that's the troublemaker.