Control: severity -1 serious Control: tags -1 security On 2012-06-10 10:16:12 -0700, Noah Meyerhans wrote: > In order for user preferences and Bayesian scoring to work, spamd needs > to be able to 'su' to the identity of the mail recipient. This is > something most people expect to work by default, so spamd runs as root > by defaulṫ. > > A newer version of spamassassin (3.3.2-3, probably) will introduce a > debian-spamd user, and it's safe to run spamd as that user if desired.
In the upstream mailing-list, it is said that running spamassassin as root is bad for the security. The issue is that several users (including me) have complained that spamassassin touches the root account. A recall (a part of) the issue: Jun 11 11:48:58 joooj spamd[197569]: check: dns_block_rule RCVD_IN_VALIDITY_CERTIFIED_BLOCKED hit, creating /root/.spamassassin/dnsblock_sa-trusted.bondedsender.org (This means DNSBL blocked you due to too many queries. Set all affected rules score to 0, or use "dns_query_restriction deny sa-trusted.bondedsender.org" to disable queries) Jun 11 11:48:58 joooj spamd[197569]: check: dns_block_rule RCVD_IN_VALIDITY_RPBL_BLOCKED hit, creating /root/.spamassassin/dnsblock_bl.score.senderscore.com (This means DNSBL blocked you due to too many queries. Set all affected rules score to 0, or use "dns_query_restriction deny bl.score.senderscore.com" to disable queries) Jun 11 11:48:58 joooj spamd[197569]: check: dns_block_rule RCVD_IN_VALIDITY_SAFE_BLOCKED hit, creating /root/.spamassassin/dnsblock_sa-accredit.habeas.com (This means DNSBL blocked you due to too many queries. Set all affected rules score to 0, or use "dns_query_restriction deny sa-accredit.habeas.com" to disable queries) -- Vincent Lefèvre <[email protected]> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)

