Bug#293207: bogofilter: Any fix found?
David Relson
relson at osagesoftware.com
Sat Mar 5 04:03:32 CET 2005
On Fri, 4 Mar 2005 21:21:43 -0500
Eric Wood wrote:
> ----- Original Message -----
> From: "Dann Daggett"
> > Since I have different wordlists for each user, the process runs as
> > each user, and therefore it doesn't have permission to access the
> > files. So I think I need a way to tell whatever process is creating
> > the log files (be it bogofilter, DB, or logrotate) that the newly
> > created file be owned by the user that owns the directory (or
> > something like that).
>
> Yikes! If postfix is calling procmail always as root user then a serious
> security hole can emerge. Possibly a user created .procmailrc can inflict
> serious damage.
>
> My sendmail+vdeliver+procmail+bogofilter always delivers under the userid of
> the user or virtual user (id's over 65000). But wordlist.db has to be world
> read-writable. So what. I'd rather a local user be able to delete the
> wordlist.db rather than creating a deadly recipe. Virtual users of course
> never get a shell.
>
> With just a wordlist.db file, I easily set the premissions as 666. However,
> free wheeling logs file must be 666'ed also. I wonder if setting a umask
> 0666 in the procmail script just before the bogofilter call and resetting it
> back to the original umask would work..... dunno.
>
> -eric wood
Eric,
Checking procmail's man page shows that procmail's UID depends on the
location of procmailrc. Dann and I differ in that detail with his use
of $HOME/.procmailrc and my use of /etc/procmailrc and that has a big
effect on matters.
David
_______________________________________________
Bogofilter mailing list
Bogofilter at bogofilter.org
http://www.bogofilter.org/mailman/listinfo/bogofilter
More information about the Bogofilter
mailing list