Bug#293207: bogofilter: Any fix found?

Matthias Andree matthias.andree at gmx.de
Sun Mar 6 03:09:35 CET 2005


"Eric Wood" <eric at interplas.com> writes:

> ----- Original Message ----- 
> From: "Dann Daggett"
>> Since I have different wordlists for each user, the process runs as
>> each user, and therefore it doesn't have permission to access the
>> files. So I think I need a way to tell whatever process is creating
>> the log files (be it bogofilter, DB, or logrotate) that the newly
>> created file be owned by the user that owns the directory (or
>> something like that).
>
> Yikes! If postfix is calling procmail always as root user then a serious 
> security hole can emerge.  Possibly a user created .procmailrc can inflict 
> serious damage.

Postfix doesn't call procmail (as mailbox_program) as root, you'd have
to install procmail as set-uid root.

Problems arise if bogofilter programs (or anything more complex than
setting a variable to some hard-coded value) are called from
/etc/procmailrc.

At any rate, I advise against procmail, and suggest that people use
maildrop instead.

> My sendmail+vdeliver+procmail+bogofilter always delivers under the userid of 
> the user or virtual user (id's over 65000).  But wordlist.db has to be world 
> read-writable.  So what.  I'd rather a local user be able to delete the 
> wordlist.db rather than creating a deadly recipe.  Virtual users of course 
> never get a shell.
>
> With just a wordlist.db file, I easily set the premissions as 666. However, 
> free wheeling logs file must be 666'ed also.  I wonder if setting a umask 
> 0666 in the procmail script just before the bogofilter call and resetting it 
> back to the original umask would work..... dunno.

It doesn't work. Bogofilter will not request the "other user write
permission" bit, so all you'll get is 0664. Screwing somebody else's
list isn't exactly fun.

-- 
Matthias Andree
_______________________________________________
Bogofilter mailing list
Bogofilter at bogofilter.org
http://www.bogofilter.org/mailman/listinfo/bogofilter



More information about the Bogofilter mailing list