On Mon, Dec 18, 2006 at 12:42:29PM -0600, Vijay Sankar wrote:
> On Mon, 2006-18-12 at 18:29 +0100, Joachim Schipper wrote:
> > On Sun, Dec 17, 2006 at 09:18:45PM -0600, Vijay Sankar wrote:
> > > Yes, /var/dspam/data was already there after I installed the package (I
> > > am not using -current, just OpenBSD 4.0 from the CD and packages from
> > > mirror.arcticnet.ca.
> >
> > > In case there is a better way than doing chmod 2771, please do let me
> > > know. Here is the output from ls -laR /var/dspam. The reason
> > > why /var/spam/data/vsankar and /var/dspam/system.log has 2777 is because
> > > I couldn't get the system statistics and quarantine information from the
> > > dspam.cgi program without opening that up.
> >
> > Having permissions 2771 on /var/dspam/<something> is fine; I was
> > referring to having 2755 on /usr/bin/dspam, as you posted before
> > (http://marc.theaimsgroup.com/?l=openbsd-misc&m=116632875008340&w=2).
> > However, this seems to be by design; while I'd still argue it is a bad
> > idea, I thought you had tried to do that just to get stuff working, and
> > that's not a very good idea.
> >
> > (In other words, time for me to do some actual research before replying.
> > Sorry!)
>
> Thanks very much for that clarification. I am still trying to reduce the
> permissions and tried making /var/dspam and subdirectories 755 as you
> suggested but it did not work. Without at least 775 on /var/dspam/data,
> the stats file and log file don't get updated. So I am going back to
> 2771 for the data directories.
Okay, that's sensible.
> > > Also, there is still one final problem. If user vsankar (unprivileged
> > > account) uses the dspam.cgi program and decides to reclassify a message
> > > already classified as spam by dspam, I get the following error
> > > in /var/log/maillog
> > >
> > > Dec 17 09:38:37 mx1 dspam[8781]: Delivery agent returned exit code
> > > 1: /usr/libexec/mail.local -d vsankar
> > > Dec 17 09:38:38 mx1 mail.local: may only be run by the superuser
> >
> > Ah, sendmail. I'm afraid I can't help you there; I've been using postfix
> > for as long as I know what a MTA is.
> >
> > You could try using something like plain sendmail, or procmail, or
> > maildrop, although I don't know what would be considered the proper way
> > to do this.
>
> I tried procmail but that introduces other problems as far as dpsam.cgi
> is concerned. So I went back to mail.local as the LDA.
Okay, I can't really help any more here.
> > > For now, I am thinking of avoiding using the dspam.cgi altogether and
> > > just moving the vsankar.mbox quarantine file into /home/vsankar/mail and
> > > accessing it through my webmail client if I ever want to reclassify
> > > email. But it would be nice to be able to do a "Deliver Checked" from
> > > the dspam.cgi interface.
> >
> > I'll admit to being out of my depth here; I've looked at the dspam
> > documentation, but I've never actually installed it, and my e-mail
> > architecture is quite a little different from yours anyway (for one,
> > dspam should reinject mail into postfix... so I never get to mess with
> > local delivery agents, and it's far more likely I can get away with
> > non-suid dspam).
> >
> > > mx1# ls -laR /var/dspam
> > > total 104
> > > 4 drwxrws--x 3 _dspam _dspam 512 Dec 16 19:18 .
> > > 4 drwxr-xr-x 27 root wheel 512 Dec 16 14:33 ..
> > > 4 drwxrws--x 7 _dspam _dspam 512 Dec 16 16:49 data
> > > 88 -rwxrwxrwx 1 _dspam _dspam 43199 Dec 17 20:45 system.log
> > >
> > > /var/dspam/data:
> > > total 28
> > > 4 drwxrws--x 7 _dspam _dspam 512 Dec 16 16:49 .
> > > 4 drwxrws--x 3 _dspam _dspam 512 Dec 16 19:18 ..
> > > 4 drwxrws--x 2 _dspam _dspam 512 Dec 16 16:06 root
> > > 4 drwxrwsrwx 2 _dspam _dspam 512 Dec 17 09:55 vsankar
> > >
> > > /var/dspam/data/root:
> > > total 60
> > > 4 drwxrws--x 2 _dspam _dspam 512 Dec 16 16:06 .
> > > 4 drwxrws--x 7 _dspam _dspam 512 Dec 16 16:49 ..
> > > 36 -rwxrws--x 1 _dspam _dspam 17276 Dec 17 01:30 root.log
> > > 12 -rwxrws--x 1 _dspam _dspam 4130 Dec 16 16:22 root.mbox
> > > 4 -rwxrws--x 1 _dspam _dspam 13 Dec 17 01:30 root.stats
> >
> > Why the 'x' permission?
>
> I am really not sure. If I don't do a chmod -R 2771 on /var/dspam a
> variety of things break. I tried 660 and got the permissions problem
> when retraining, with 770 dspam.cgi did not provide stats and history
> information, with 771 email doesn't get quarantined in vsankar.mbox.
> chmod -R 2771 solves all these problems, possibly by introducing new
> problems that I am not aware of :( Anyways, can't figure out why x is
> needed. I even tried mounting /var/dspam with no nosuid in /etc/fstab.
> It did not make a difference.
I presume you are aware of the different interpretation of the 'x' bit
on directories (access) and files (execute)? You'll need it on
directories, but almost certainly not on files.
However, I really hope someone else has more clue about sendmail+dspam;
you might want to ask on the dspam list if no-one else turns up soon.
Joachim
