On Friday 19 December 2008, mouss wrote: >Gene Heskett a écrit : >> On Thursday 18 December 2008, Kai Schaetzl wrote: >>> Gene Heskett wrote on Thu, 18 Dec 2008 15:13:28 -0500: >>>> Following the above tut, step 2 fails as root owns the /etc/mail tree, >>>> and the user running SA has no perms. What should the owner/group >>>> actually be for that? I changed it to $user:mail and that seemed to fix >>>> it. >>> >>> I assume your are not using sendmail then? >> >> Yes, AFAIK I am. >> >>> As you import this key only once I'd rather do that step as root. Then >>> requires root for changing it as well - which I think is good. >>> >>>> Now however, I find other spamassassin trees (like >>>> /usr/share/spamassassin where all these .cf files live) are also owned >>>> by root, can I just chown them to that user:mail too? >>> >>> sa-update does not write to this directory, so you can ignore that. But >>> you will see problems with writing to /var/lib/spamassassin I suppose. >>> I'm running sa- update as root, don't know what others are doing. >> >> All well and good I presume, but that is also conflicting advice re >> security. I do ALL my mail fetching and spamassassin stuff as an >> unpriviledged user clear up to dumping it into a mailfile in >> /var/mail/$user. > >if you run sa-update as the user which scans mail, then any >vulnerability in SA will allow an attacker to modify your rules and/or >keys (remember that SA parses mail received from the untrusted network). > >if you want to run sa-update as an unprivileged user, then create a >specific account (say "saupdate") and make it own /var/lib/spamassassin >and the keys directory. you can make the latter a sub directory of >/var/lib/spamassassin using --gpghomedir. > >> Then as root, I suck that $user file into kmail and sort it to the >> appropriate folders. Which is why, when I do an sa-learn session, I first >> pickup the stuff I as root have dropped in the spam directory, copy it to >> that users scratchpad, chown it to that user, run sa-learn against that, >> so that there are no clashes in ownership. Once sa-learn is finished with >> it, it gets nuked till the next days crontab launched repeat. >> >> You mentioned /var/lib/spamassassin. It is currently owned by root and >> empty. Maybe that explains why I feed this viagra crap 20 x a day to >> sa-learn and it doesn't seem to? What should I do to populate that if its >> needed after I chown it to $user:mail? > >/var/lib/spamassassin is used for rules that you get via sa-update. it >is not used by sa-learn.
Stumbling around in the dark, I created that user, and chowned the /var/lib/spamassassin directory to that user:mail, made saupdate a member of group mail. The key import complained about unsafe perms of /var/lib/spamassassin, but did import the keys I think: /var/lib/spamassassin: total 40 drwxr-xr-x 2 saupdate mail 4096 2008-12-19 08:26 . drwxr-xr-x 39 root root 4096 2008-12-19 00:22 .. -rw------- 1 saupdate saupdate 2783 2008-12-19 08:26 pubring.gpg -rw------- 1 saupdate saupdate 0 2008-12-19 08:26 pubring.gpg~ -rw------- 1 saupdate saupdate 0 2008-12-19 08:26 secring.gpg -rw------- 1 saupdate saupdate 1200 2008-12-19 08:26 trustdb.gpg But now 'su saupdate -c "sa-update --gpghomedir /var/lib/spamassassin" returns: [r...@coyote saupdate]# su saupdate -c "sa-update --gpghomedir /var/lib/spamassassin" gpg: WARNING: unsafe permissions on homedir `/var/lib/spamassassin' However, it did seem to do it, and do it nearly instantly as I now have the full menu of cf files present in that /var/lib/spamassassin directory. All dated today. I just checked /usr/share/spamassassin, and root:root owns all of those .cf files, which doesn't seem correct to me, is that correct/ok? Now it looks like I have 2 more questions: 1. How do I fix the permissions that gpg is fussing about? 2. And what do I do to my /etc/init.d/spamassassin script so it will use the newly fetched .cf files instead of the ones in /usr/share/spamassassin? FWIW the user who runs fetchnail/procmail is also a member of group 'mail'. Running spamassassin -D --lint as this new user gets a higher score for the test message than I get when running it as the current user does. As the user saupdate: [...] [12840] dbg: check: is spam? score=4.205 required=5 [12840] dbg: check: tests=MISSING_DATE,MISSING_HEADERS,MISSING_SUBJECT,NO_RECEIVED,NO_RELAYS [12840] dbg: check: subtests=__HAS_MSGID,__MISSING_REF,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__MSOE_MID_WRONG_CASE,__NONEMPTY_BODY,__SANE_MSGID,__TVD_BODY,__UNUSABLE_MSGID As the user gene: [12861] dbg: check: is spam? score=3.79 required=5 [12861] dbg: check: tests=BAYES_40,MISSING_DATE,MISSING_HEADERS,MISSING_SUBJECT,NO_RECEIVED,NO_RELAYS [12861] dbg: check: subtests=__HAS_MSGID,__MISSING_REF,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__MSOE_MID_WRONG_CASE,__NONEMPTY_BODY,__SANE_MSGID,__TVD_BODY,__UNUSABLE_MSGID The diff being BAYES_40 apparently. Thanks for any more guidance, I feel like I need a white cane at this point. :) -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) It doesn't matter what you do, it only matters what you say you've done and what you're going to do.
