Gene Heskett a écrit : > On Thursday 18 December 2008, Kai Schaetzl wrote: >> Gene Heskett wrote on Thu, 18 Dec 2008 15:13:28 -0500: >>> Following the above tut, step 2 fails as root owns the /etc/mail tree, and >>> the user running SA has no perms. What should the owner/group actually be >>> for that? I changed it to $user:mail and that seemed to fix it. >> I assume your are not using sendmail then? > > Yes, AFAIK I am. > >> As you import this key only once I'd rather do that step as root. Then >> requires root for changing it as well - which I think is good. >> >>> Now however, I find other spamassassin trees (like /usr/share/spamassassin >>> where all these .cf files live) are also owned by root, can I just chown >>> them to that user:mail too? >> sa-update does not write to this directory, so you can ignore that. But you >> will see problems with writing to /var/lib/spamassassin I suppose. I'm >> running sa- update as root, don't know what others are doing. > > All well and good I presume, but that is also conflicting advice re security. > I do ALL my mail fetching and spamassassin stuff as an unpriviledged user > clear up to dumping it into a mailfile in /var/mail/$user. >
if you run sa-update as the user which scans mail, then any vulnerability in SA will allow an attacker to modify your rules and/or keys (remember that SA parses mail received from the untrusted network). if you want to run sa-update as an unprivileged user, then create a specific account (say "saupdate") and make it own /var/lib/spamassassin and the keys directory. you can make the latter a sub directory of /var/lib/spamassassin using --gpghomedir. > Then as root, I suck that $user file into kmail and sort it to the > appropriate > folders. Which is why, when I do an sa-learn session, I first pickup the > stuff I as root have dropped in the spam directory, copy it to that users > scratchpad, chown it to that user, run sa-learn against that, so that there > are no clashes in ownership. Once sa-learn is finished with it, it gets > nuked till the next days crontab launched repeat. > > You mentioned /var/lib/spamassassin. It is currently owned by root and > empty. > Maybe that explains why I feed this viagra crap 20 x a day to sa-learn and it > doesn't seem to? What should I do to populate that if its needed after I > chown it to $user:mail? > /var/lib/spamassassin is used for rules that you get via sa-update. it is not used by sa-learn.
