Pollywog wrote: > On 12/06/2005 12:27 am, Matt Kettler wrote: > >>David Buttrick wrote: >> >>>Is there a control for the permissions on the bayes_journal file? >>> >>>I'm using a shared bayes db, and users do not have permissiosn on the >>>file because it is created chmod 600. >>> >>>Is there something i can do in the config files? >> >>What's your bayes_file_mode setting set to? >> >>If you have a shared bayes db, it should be 0777 (note: 0777 not 0666 due >>to use in dir creation) > > > > Wouldn't it be better to set bayes_file_mode to 0770 and add the users to the > same group as the file, say "users" group? > > > 8)
That works too, although you also have to add "nobody" to that group (any mail set to scan as root falls back to nobody). At that point the difference between 0770 and 0777 is not exactly very large. Sure named, http, cron and other service users can't write it, but that's about it. For someone exploiting as a service user, It *might* be possible to privilege escalate by maliciously corrupting the bayes DB. However, when using spamd bayes is never accessed as root so the potential gain here is small, you'd only be able to escalate to a regular local user, not to root. From there they might have better tools available to hop into root via another privilege escalation, but it's a long shot that they couldn't just do it directly from the service user. While I agree it's a good idea from a "belt and suspenders" approach, there are better measures one should take first. (ie: make sure all network daemon processes are chroot as well as setuid)
