[Gllug] spamassassin question

Bruce Richardson itsbruce at workshy.org
Sat May 3 12:38:35 UTC 2008 

On Sat, May 03, 2008 at 12:09:39PM +0100, Adrian wrote:
> Since I upgrade my server to Ubuntu 8.04, the Bayesian filtering on
> spamassassin hasn't been working - I think because I run as user foo but
> the daemon insists on trying to use the .spamassassin directories of the
> individual mail recipients
> 
> I have tried setting --helper-home-dir to /home/foo but the daemon still
> logs things like - 
> 
> May  3 12:04:29 dragoneye spamd[14497]: spamd: creating default_prefs: /home/adrianmail/.spamassassin/user_prefs 
> May  3 12:04:29 dragoneye spamd[14497]: config: cannot write to /home/adrianmail/.spamassassin/user_prefs: Permission denied 
> May  3 12:04:29 dragoneye spamd[14497]: spamd: failed to create readable default_prefs: /home/adrianmail/.spamassassin/user_prefs 
> 

This seems fairly clear; spamd is running as a user which does not have
sufficient access to create directories in the user home directories.
You could "fix" this by running spamd as root but that makes your system
significantly more insecure; any security vulnerability in spamd then
becomes a root exploit.  The safest way to fix this, I think, would be
to create a special directory to hold per-user spamassassin configs; it
should be possible, with the right combination of group membership and
file permissions, to allow both spamd and the users to access the config
files.

If this box is only used for user mail and they don't have shell access,
then an intermediately secure (and easier) fix is to give the mail group
write access to all the home directories.  This doesn't expose you to
root exploits but does mean that spamd could nuke all user mail, either
by accident or through abuse of a vulnerability.

Of course, if you don't actually need per-user spamassassin configs then
just turn the feature off.

-- 
Bruce

Bitterly it mathinketh me, that I spent mine wholle lyf in the lists
against the ignorant.  -- Roger Bacon, "Doctor Mirabilis"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20080503/e23db00e/attachment.pgp>
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list