when --max-conn-per-child=1 spamd children should drop root completely as
early as possible. actually i'd also suggest that when $setuid_to_user
you default $clients_per_child to 1 rather than 200 ... the extra paranoia
is worth more than the possibility of perf gain for most folks.
sorry -- it would take me longer to read the license agreement required to
create a bugzilla account than it did to create this patch. i release
this message into the public domain, do what you want with it.
-dean
--- spamassassin-3.0.1/spamd/spamd.raw.orig 2004-10-22 18:39:19.000000000
-0700
+++ spamassassin-3.0.1/spamd/spamd.raw 2004-10-26 23:12:02.000000000 -0700
@@ -1398,6 +1398,11 @@
else {
logmsg("info: setuid to $username succeeded");
}
+ # increase paranoia when we only handle one client per child
+ if ($clients_per_child == 1) {
+ $( = $); # real gid
+ $< = $>; # real uid. we now cannot setuid anymore
+ }
}
#
