bogofilter -u let's spam come through
Tom Allison
tallison at tacocat.net
Sat Feb 21 16:06:40 CET 2004
David Relson wrote:
> On Sat, 21 Feb 2004 08:39:12 -0500
> Tom Allison wrote:
>
>
>
>>I'll take a stab at it, but my first guess woudl be something like
>>this: If David Relson has a permissions of 640, then only one person
>>will be able to update the list and everyone in his (assumption) users
>>group can read it. This would work fine if he had a really good
>>bogofilter wordlist and didn't want anyone else just updating it
>>casually. For example, he may control all the updates while his
>>users/family reap the benefits of his labor.
>>
>>However, if you are planning on having several users doing both
>>updates (-u) and reads from the database then you have to do two
>>things: set the permissions to 660.
>>make sure all your users are in the same group as the bogofilter
>>wordlist so they can act on it.
>
>
> Tom,
>
> Nope. The wordlist permissions aren't working as you describe. Perhaps
> it's a postfix or procmail thing we don't know/understand.
>
> All my users can update the wordlist (using "bogofilter -u"). I just
> ran a check with messages to 3 of my users and the wordlist counts
> included all 3 messages.
>
> Offhand I can't say _why_ the permissions work. I just know that they
> do.
>
> FWIW, wordlist.db has group "relson", but that group does not include
> any
> other users. All users are in group "users".
>
This is unnerving.
You set the permissions a certain way, and yet the application doesn't
follow that permission setting in a predictable manner?
I am by no means an expert on any of this stuff. But it sounds as this
might be candidate for a security issue.
More information about the Bogofilter
mailing list