ThinkTinker

Messing With My Head
It is currently Fri Aug 23, 2019 9:35 am

All times are UTC - 8 hours




Post new topic Reply to topic  [ 1 post ] 
Author Message
 Post subject: Spamassassin Permissions
PostPosted: Tue Sep 13, 2011 1:03 pm 
Offline
Site Admin

Joined: Thu Sep 02, 2004 7:45 am
Posts: 39
For the longest time I have been seeing errors such as the following in my maillog:
Code:
spamd[xxxx]: config: cannot write to /home/username/.spamassassion/user_prefs: Permission denied

..among other similar permission errors.

HINT: The primary clue is in the error message ... more on that, near the end of this message.

It was definitely a permissions problem, but not in the way you might think. This is actually a fairly common issue with Spamassassin admins because it looks like one kind of problem, but it turns out to be something a little different.

First, most admins look at the user's home directory to make sure everything 'belongs' to that user. Usually, everything DOES belong to that user.

Second, most admins look at whether Spamassassin is working, both that it is running and that it is parsing mail and scoring stuff. Usually, it is.

Third, most admins look at how Spamassassin is running, and frequently they don't know what to look for because the installation of Spamassassin creates a bunch of initialization files set up with common values ... and this is where the issue lies.

I found my fix when I tracked the spamd process back to its origins.

ps aux | grep spamd revealed to me that the spamd process was running as the user named 'spam'. This was set up during installation. The problem was that the user 'spam' is unprivileged ... it is a normal user ... so the spamd daemon did not have the correct authority to do its job.

I started tracking the user assignment in /etc/init.d/spamassassin, the init script created during installation, and saw that it included the following variable assignments:
Code:
SPAMDOPTIONS="-d -c -m5 -H"
SPAMD_PID=/var/run/spamd.pid

and execution command string:
Code:
daemon $NICELEVEL spamd $SPAMDOPTIONS -r $SPAMD_PID

Looks fine ... but my ps aux listing showed this:
Code:
root 4002 0.0 2.9 36056 30284 ? Ss /usr/bin/spamd -d -c -m5 -H --username spam -r /var/run/spamd.pid

First, note that the spamd binary is running as the user 'root', which is exactly what we want, and which was also set up during installation.

However note the extra parameter (--username spam) in the initialization string. Hmmm ... where was that coming from? undoubtedly this was the problem ... the Spamassassin daemon CHILD instances were running as the unprivileged user 'spam' because that was somehow being included in the startup parameters But where?

How about in this file: /etc/sysconfig/spamassassin?

Bingo!

The only line in /etc/sysconfig/spamassassin read:
Code:
SPAMDOPTIONS="-d -c -m5 -H --username spam"

Clearly this file is being used to initialize the daemon's variables, overriding the variable assignment made in the init.d startup script.

I removed --username spam from /etc/sysconfig/spamassassin, restarted the daemon with service spamassassin restart and ... voila ... errors gone, and Spamassassin is happily writing prefs and other spammy goodness to the individual users' directories ... just as God intended.

The HINT, at the start of this message, refers to the start of the error message where it is indicated that the USER who is having problems is spamd. Since the CHILD processes all ran as unprivileged user spam, the HINT tells us that user spamd could not do what it wanted ... spam was not even in the equation. I should have recognized that this error was being generated by the DAEMON, and not by the process children. Directory permissions were irrelevant ... the issue was WHO was Spamassassin running as. The issue was solved by not specifying a user, and just letting Spamassassin switch identities as needed ... now my maillog includes entries such as:
Code:
spamd[xxxx]: spamd: setuid to user succeeded

Just right.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 1 post ] 

All times are UTC - 8 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
cron

= = = IMPORTANT COPYRIGHT INFORMATION = = =

Original content is Copyright ©2004-2011 by James Butler. All rights reserved.
ThinkTinker is a trademark protected under United States trademark law.

= = = TERMS & CONDITIONS OF USE = = =

In addition to the "Rules of the Road", visitors who contribute to this website agree to the following:
The author of a comment releases all copyrights with respect to the contents of the comment.
Comments may be edited, moved or deleted at any time for any reason at the sole discretion of James Butler.
Any parts of this Bulletin Board may be re-published and/or compiled in any form
at any time without further notice, compensation or acknowledgement.
(We will try to keep attributions intact, but we make no guarantees.)
If you do not agree to all of the above Terms & Conditions, do not post anything on this Bulletin Board.

ThinkTinker's Administrator may be reached by email: james at jamesbutler.net


Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group