You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Robert S <ro...@gmail.com> on 2006/11/20 11:03:07 UTC

FuzzyOcrPlugin hashdb permissions

I've installed this FuzzyOcrPlugin on two machines (debian and
gentoo).  Everything works fine on the gentoo box, but on the debian
box I get the following in the error log:

[2006-11-20 04:06:11] Unable to open/create Image Hash database at
"/usr/local/var/FuzzyOcr/FuzzyOcr.hashdb", check permissions.
[2006-11-20 07:17:15] Unable to open/create Image Hash database at
"/usr/local/var/FuzzyOcr/FuzzyOcr.hashdb", check permissions.

The recipients of the mail are all in the "users" group.

Relevant config file:

focr_enable_image_hashing 1
focr_digest_db /usr/local/var/FuzzyOcr/FuzzyOcr.hashdb
focr_hashing_learn_scanned 1

Permissions on both machines:

ls -l /usr/local/var
drwxrwsr-x  2 root users 80 Nov 20 07:34 FuzzyOcr

and

$ ls -l /usr/local/var/FuzzyOcr/FuzzyOcr.hashdb
-rwxrwxr-x  1 root users 499 Nov 20 14:29
/usr/local/var/FuzzyOcr/FuzzyOcr.hashdb

I can fix this by doing "chmod 777" to the hashdb, but its bad
practice to have world-writable files and I'd like to avoid it.

Am I doing something obviously wrong here??

Re: FuzzyOcrPlugin hashdb permissions

Posted by Thiago LPS <th...@gmail.com>.

im sorry... do this to see the User that runs spamd

ps -ef | grep spamd

spamd    28758  8610  0 09:16 ?        00:00:11 spamd child
spamd    11309  8610 10 09:17 ?        00:02:28 spamd child
spamd    10151  8610 11 09:17 ?        00:02:39 spamd child


if you read the docs will see that user root only start the service..
and any other task is done with spamd user (default)

try set te permission to spamd user..
if it doenst exist... try create and restart the service



On 11/20/06, Robert S <ro...@gmail.com> wrote:
> > you must set the permission to spamd user
> >
> > ps awx | grep spamd
> >
> > and see the user that runs spamd
>
> $ ps aux | grep spamd
> root     29902  0.0  6.9 33740 31400 ?       Ss   18:31   0:11
> /usr/sbin/spamd --create-prefs --max-children 5 --helper-home-dir -d
> --pidfile=/var/run/spamd.pid
> root     29907  0.0  7.5 36476 34228 ?       S    18:31   0:15 spamd child
>
> >
> > so.. set the permission to this user...
> >
>
> I don't think that's right - otherwise root could write to any file.
> Maybe this line is relevant:
>
> Nov 20 21:49:57 debian spamd[29908]: connection from localhost
> [127.0.0.1] at port 54761
> Nov 20 21:49:57 debian spamd[29908]: info: setuid to XXXX succeeded
>
> .. However, if I make the file writable by any member of the group
> that XXXX belongs to, I get the error message.
>


-- 
--------------------------------------------------
Thiago LPS
C.E.S.A.R - Administrador de Sistemas
msn: thiago.lps@gmail.com
0xx 81 8735 2591
--------------------------------------------------

Re: FuzzyOcrPlugin hashdb permissions

Posted by Robert S <ro...@gmail.com>.

> you must set the permission to spamd user
>
> ps awx | grep spamd
>
> and see the user that runs spamd

$ ps aux | grep spamd
root     29902  0.0  6.9 33740 31400 ?       Ss   18:31   0:11
/usr/sbin/spamd --create-prefs --max-children 5 --helper-home-dir -d
--pidfile=/var/run/spamd.pid
root     29907  0.0  7.5 36476 34228 ?       S    18:31   0:15 spamd child

>
> so.. set the permission to this user...
>

I don't think that's right - otherwise root could write to any file.
Maybe this line is relevant:

Nov 20 21:49:57 debian spamd[29908]: connection from localhost
[127.0.0.1] at port 54761
Nov 20 21:49:57 debian spamd[29908]: info: setuid to XXXX succeeded

.. However, if I make the file writable by any member of the group
that XXXX belongs to, I get the error message.

Re: FuzzyOcrPlugin hashdb permissions

Posted by Thiago LPS <th...@gmail.com>.

you must set the permission to spamd user

ps awx | grep spamd

and see the user that runs spamd

so.. set the permission to this user...

:D



On 11/20/06, Robert S <ro...@gmail.com> wrote:
> I've installed this FuzzyOcrPlugin on two machines (debian and
> gentoo).  Everything works fine on the gentoo box, but on the debian
> box I get the following in the error log:
>
> [2006-11-20 04:06:11] Unable to open/create Image Hash database at
> "/usr/local/var/FuzzyOcr/FuzzyOcr.hashdb", check permissions.
> [2006-11-20 07:17:15] Unable to open/create Image Hash database at
> "/usr/local/var/FuzzyOcr/FuzzyOcr.hashdb", check permissions.
>
> The recipients of the mail are all in the "users" group.
>
> Relevant config file:
>
> focr_enable_image_hashing 1
> focr_digest_db /usr/local/var/FuzzyOcr/FuzzyOcr.hashdb
> focr_hashing_learn_scanned 1
>
> Permissions on both machines:
>
> ls -l /usr/local/var
> drwxrwsr-x  2 root users 80 Nov 20 07:34 FuzzyOcr
>
> and
>
> $ ls -l /usr/local/var/FuzzyOcr/FuzzyOcr.hashdb
> -rwxrwxr-x  1 root users 499 Nov 20 14:29
> /usr/local/var/FuzzyOcr/FuzzyOcr.hashdb
>
> I can fix this by doing "chmod 777" to the hashdb, but its bad
> practice to have world-writable files and I'd like to avoid it.
>
> Am I doing something obviously wrong here??
>


-- 
--------------------------------------------------
Thiago LPS
C.E.S.A.R - Administrador de Sistemas
msn: thiago.lps@gmail.com
0xx 81 8735 2591
--------------------------------------------------

Re: FuzzyOcrPlugin hashdb permissions

Posted by Robert S <ro...@gmail.com>.

> And you have added all the users, that need access to the users group in
> /etc/group?
>
> IE your /etc/group file contains a line like:
> users:x:100:user1,user2,user3,user4,useretc

Yes.

>
> If so, than it is spamassassin that does not switch the user context
> correctly.
>

It looks a bit like it.  I've just installed a newer version of SA
from backports.org.  Trouble is that other tests seem to pick up spam
before FOCR is invoked.  I've tried increasing focr_autodisable_score
- I'll have a look in the morning.

RE: FuzzyOcrPlugin hashdb permissions

Posted by Sietse van Zanen <si...@wizdom.nu>.

And you have added all the users, that need access to the users group in /etc/group?

IE your /etc/group file contains a line like:
users:x:100:user1,user2,user3,user4,useretc

If so, than it is spamassassin that does not switch the user context correctly.

-Sietse



From: Robert S
Sent: Tue 21-Nov-06 13:17
To: users@spamassassin.apache.org
Subject: Re: FuzzyOcrPlugin hashdb permissions


> AFAIK you do not need to set the primary group for all your users to
> 'users'. Just add them to the 'users' group in /etc/group. Or better yet,
> create a seperate group (eg. mail_users) for it and assign write permissions
> to that group.

I always thought that was the case, but it just doesn't work that way.
 As I indicated above - when I set the permissions

-rwxrwxr-x root:users /usr/local/var/FuzzyOcr/FuzzyOcr.hashdb

I get a "permission denied" error.  I agree it should work.

Both of my distros run spamd as root and change permissions to the
recipient of the message, when spamc runs through procmail.  Here is
part of my .procmailrc (on both machines):

$ cat /etc/procmailrc

DROPPRIVS=yes

:0fw: spamassassin.lock
* < 256000
| /usr/bin/spamc

Is there something here that can be changed??

Re: FuzzyOcrPlugin hashdb permissions

Posted by Robert S <ro...@gmail.com>.

> AFAIK you do not need to set the primary group for all your users to
> 'users'. Just add them to the 'users' group in /etc/group. Or better yet,
> create a seperate group (eg. mail_users) for it and assign write permissions
> to that group.

I always thought that was the case, but it just doesn't work that way.
 As I indicated above - when I set the permissions

-rwxrwxr-x root:users /usr/local/var/FuzzyOcr/FuzzyOcr.hashdb

I get a "permission denied" error.  I agree it should work.

Both of my distros run spamd as root and change permissions to the
recipient of the message, when spamc runs through procmail.  Here is
part of my .procmailrc (on both machines):

$ cat /etc/procmailrc

DROPPRIVS=yes

:0fw: spamassassin.lock
* < 256000
| /usr/bin/spamc

Is there something here that can be changed??

RE: FuzzyOcrPlugin hashdb permissions

Posted by Sietse van Zanen <si...@wizdom.nu>.

AFAIK you do not need to set the primary group for all your users to 'users'. Just add them to the 'users' group in /etc/group. Or better yet, create a seperate group (eg. mail_users) for it and assign write permissions to that group.
You can add the users to that group, by using the correct syntax for the useradd command (eg. -G adds users to secondary groups).

-Sietse

From: Robert S
Sent: Mon 20-Nov-06 22:26
To: users@spamassassin.apache.org
Subject: Re: FuzzyOcrPlugin hashdb permissions

I might add that spamc is called from procmail, so it runs with the
permissions of the user receiving the message.  I should have pointed
this out earlier.

> Make the directory world writeable and remove the databases. New ones will
> be created with the user that spamd runs under. Than you can set the
> permissions straight.

I can see the problem now.  The file is written by username:username
because the primary group in debian is set to "username" - the group
is not "users" as I'd like it to be (as it is on my gentoo box).  I
could fix this up by making "users" the primary group for all users,
but that might cause other problems.  AFAICS I'll need to make the
hash db chmod 666.  Presumably if its not executable it shouldn't be a
security risk??

> And making db files executable does noet seem like such a good idea to me.
> Use  CHMOD 664 or 660.

Point taken.

Re: FuzzyOcrPlugin hashdb permissions

Posted by Thiago LPS <th...@gmail.com>.

Here my FuzzyOCR runs with spamd (the daemon of spamassassin)
and the default user that run it is the user spamd

-rw-r--r--  1 spamd spamd 433905 Nov 21 08:51 FuzzyOcr.hashdb

my FuzzyOcr.hashdb is set to user spamd

and all works fine... :)


On 11/20/06, Robert S <ro...@gmail.com> wrote:
> I might add that spamc is called from procmail, so it runs with the
> permissions of the user receiving the message.  I should have pointed
> this out earlier.
>
> > Make the directory world writeable and remove the databases. New ones will
> > be created with the user that spamd runs under. Than you can set the
> > permissions straight.
>
> I can see the problem now.  The file is written by username:username
> because the primary group in debian is set to "username" - the group
> is not "users" as I'd like it to be (as it is on my gentoo box).  I
> could fix this up by making "users" the primary group for all users,
> but that might cause other problems.  AFAICS I'll need to make the
> hash db chmod 666.  Presumably if its not executable it shouldn't be a
> security risk??
>
> > And making db files executable does noet seem like such a good idea to me.
> > Use  CHMOD 664 or 660.
>
> Point taken.
>


-- 
--------------------------------------------------
Thiago LPS
C.E.S.A.R - Administrador de Sistemas
msn: thiago.lps@gmail.com
0xx 81 8735 2591
--------------------------------------------------

Re: FuzzyOcrPlugin hashdb permissions

Posted by Robert S <ro...@gmail.com>.

I might add that spamc is called from procmail, so it runs with the
permissions of the user receiving the message.  I should have pointed
this out earlier.

> Make the directory world writeable and remove the databases. New ones will
> be created with the user that spamd runs under. Than you can set the
> permissions straight.

I can see the problem now.  The file is written by username:username
because the primary group in debian is set to "username" - the group
is not "users" as I'd like it to be (as it is on my gentoo box).  I
could fix this up by making "users" the primary group for all users,
but that might cause other problems.  AFAICS I'll need to make the
hash db chmod 666.  Presumably if its not executable it shouldn't be a
security risk??

> And making db files executable does noet seem like such a good idea to me.
> Use  CHMOD 664 or 660.

Point taken.