Ryan Moore ---------- Perigee.net Corporation 704-849-8355 (sales) 704-849-8017 (tech) www.perigee.net
Marc G. Fournier wrote:
On Mon, 12 Jan 2004, Alex Satrapa wrote:
MMoose wrote:
What I'd like to know is what are the real implications of removing this switch?
removing the taint-checking means that you no longer have any checks in place to prevent malicious parties from tricking the program into executing arbitrary commands. Taint checking in virus scanners and spam filters is essential, since viruses and spam are by definition malicious. You want to make sure spam can't simply alter your virus scanner to turn it into a spam factory.
It would be useful to post the messages that prompted you to turn off taint-checking.
Since I saw no followup to this, and I'm having issues right now with amavisd-new-20030616.p5 and a recently (ie. tonight) upgrade Spamassassin to 2.63 (was working with 2.55), the two taint checks that I'm seeign failing with debug-sa are:
Pyzor -> check failed: Insecure $ENV{PATH} while running with -T switch at /usr/local/lib/perl5/site_perl/5.005/Mail/SpamAssassin/Dns.pm line 870.
and
DCC -> check failed: Insecure $ENV{PATH} while running with -T switch at /usr/local/lib/perl5/site_perl/5.005/Mail/SpamAssassin/Dns.pm line 735.
With a final failure at:
Cannot get host name of local machine at /usr/local/lib/perl5/site_perl/5.005/Mail/SpamAssassin/Util.pm line 444
I've had to disable spam checking in amavisd, since it won't start with it enabled ... not sure why it suddenly can't get the hostname of the machine though, but suspect it too may have to do with the Taint checking ... from the code @ line 444:
# get the current host's unqalified domain name (better: return whatever # Sys::Hostname thinks out hostname is, might also be a full qualified one) sub hostname { return $hostname if defined($hostname);
# Sys::Hostname isn't taint safe and might fall back to `hostname`. So we've # got to clean PATH before we may call it. clean_path_in_taint_mode(); $hostname = Sys::Hostname::hostname();
return $hostname; }
and run from the command line:
neptune# perl -e 'use Sys::Hostname; print Sys::Hostname::hostname() . "\n";' neptune.hub.org
So looks fine to me ...
---- Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email: [EMAIL PROTECTED] Yahoo!: yscrappy ICQ: 7615664
------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
