Bug#293207: bogofilter: Any fix found?
Eric Wood
eric at interplas.com
Sat Mar 5 03:21:43 CET 2005
----- Original Message -----
From: "Dann Daggett"
> Since I have different wordlists for each user, the process runs as
> each user, and therefore it doesn't have permission to access the
> files. So I think I need a way to tell whatever process is creating
> the log files (be it bogofilter, DB, or logrotate) that the newly
> created file be owned by the user that owns the directory (or
> something like that).
Yikes! If postfix is calling procmail always as root user then a serious
security hole can emerge. Possibly a user created .procmailrc can inflict
serious damage.
My sendmail+vdeliver+procmail+bogofilter always delivers under the userid of
the user or virtual user (id's over 65000). But wordlist.db has to be world
read-writable. So what. I'd rather a local user be able to delete the
wordlist.db rather than creating a deadly recipe. Virtual users of course
never get a shell.
With just a wordlist.db file, I easily set the premissions as 666. However,
free wheeling logs file must be 666'ed also. I wonder if setting a umask
0666 in the procmail script just before the bogofilter call and resetting it
back to the original umask would work..... dunno.
-eric wood
_______________________________________________
Bogofilter mailing list
Bogofilter at bogofilter.org
http://www.bogofilter.org/mailman/listinfo/bogofilter
More information about the Bogofilter
mailing list