You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Christian Dysthe <cd...@gmail.com> on 2013/07/15 15:16:53 UTC

Running as root.

Hi,

Spamassassin runs fine but I have one remaining error message in the logs:

 spamd: still running as root: user not specified with -u

I have looked around trying to figure out what to do about this but no
luck so far. Maybe someone here could let me know how to fix this? I'm
running Ubuntu Server Edition 12.04 LTS x64 with Spamassassin
installed from the repos/

--
//Christian

Re: Running as root.

Posted by Benny Pedersen <me...@junc.eu>.

Axb skrev den 2013-07-15 15:35:

>> spamd: still running as root: user not specified with -u
> as per ye ole SA docs on
>
> http://spamassassin.apache.org/doc.html
>
> http://spamassassin.apache.org/full/3.3.x/doc/spamd.html
>
> -u username, --username=username  Run as username

hopefully ubuntu maintainers takes note

Re: Running as root.

Posted by Axb <ax...@gmail.com>.

On 07/15/2013 03:16 PM, Christian Dysthe wrote:
> Hi,
>
> Spamassassin runs fine but I have one remaining error message in the logs:
>
>   spamd: still running as root: user not specified with -u
>
> I have looked around trying to figure out what to do about this but no
> luck so far. Maybe someone here could let me know how to fix this? I'm
> running Ubuntu Server Edition 12.04 LTS x64 with Spamassassin
> installed from the repos/

as per ye ole SA docs on

http://spamassassin.apache.org/doc.html

http://spamassassin.apache.org/full/3.3.x/doc/spamd.html

-u username, --username=username  Run as username

Re: Running as root.

Posted by Christian Dysthe <cd...@gmail.com>.

On Mon, Jul 15, 2013 at 9:10 AM, Jari Fredriksson <ja...@iki.fi> wrote:
> 15.07.2013 16:16, Christian Dysthe kirjoitti:
>> Hi,
>>
>> Spamassassin runs fine but I have one remaining error message in the logs:
>>
>>  spamd: still running as root: user not specified with -u
>>
>> I have looked around trying to figure out what to do about this but no
>> luck so far. Maybe someone here could let me know how to fix this? I'm
>> running Ubuntu Server Edition 12.04 LTS x64 with Spamassassin
>> installed from the repos/
>>
>> --
>> //Christian
>>
> You define the -u option in /etc/default/spamassassin

Thanks, that works. For some reasons I get some permission errors for
the bayes db files, but I'm sure I can figure that out,
'
>
>
>
> --
> jarif.bit
>
>



--
//Christian

Re: Running as root.

Posted by Jari Fredriksson <ja...@iki.fi>.

15.07.2013 16:16, Christian Dysthe kirjoitti:
> Hi,
>
> Spamassassin runs fine but I have one remaining error message in the logs:
>
>  spamd: still running as root: user not specified with -u
>
> I have looked around trying to figure out what to do about this but no
> luck so far. Maybe someone here could let me know how to fix this? I'm
> running Ubuntu Server Edition 12.04 LTS x64 with Spamassassin
> installed from the repos/
>
> --
> //Christian
>
You define the -u option in /etc/default/spamassassin



-- 
jarif.bit

Re: Running as root.

Posted by Martin Gregorie <ma...@gregorie.org>.

On Mon, 2013-07-15 at 22:14 +0300, Jari Fredriksson wrote:
> 15.07.2013 19:51, Benny Pedersen kirjoitti:
> > Christian Dysthe skrev den 2013-07-15 15:16:
> >
> >> Spamassassin runs fine but I have one remaining error message in the
> >> logs:
> >> spamd: still running as root: user not specified with -u
> >
> > spamd uses default port 783, with is below 1024 imho :=)
> >
> > only ports over 1023 can run as daemons without started as root
> >
> > if you like to change the problem, i will say apache does the same
> > problem on port 80, is there any secureity problem with that ?, well
> > apache start as root yes, but it drops priveledges for port 80 when
> > started, if spamd does the same its perfectly ok
> >
> spamd starts as root anyway, then it changes to the given user. I think
> it goes this way.
> 
Yep. Its manual says that if its started as root, for each message it
receives it will switch to the user set by the spamc -u option or
(default) the user spamc is run under.


Martin

Re: Running as root.

Posted by RW <rw...@googlemail.com>.

On Mon, 15 Jul 2013 17:26:12 -0600
Amir 'CG' Caspi wrote:

> At 12:05 AM +0100 07/16/2013, RW wrote:
> >OTOH when I just tried this in 3.3.2, spamd didn't to pick-up a test
> >rule I added to ~/.spamassassin/user_prefs (which worked with the
> >spamassassin script).
> 
> Do you have allow_user_rules enabled in your local.cf?  According to 
> http://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Conf.html#rule_definitions_and_privileged_settings 
> ... spamd will ignore user rules unless explicitly enabled via 
> allow_user_rules.

That was it. I didn't realise that it was specific to spamd.

Re: Running as root.

Posted by Amir 'CG' Caspi <ce...@3phase.com>.

At 12:05 AM +0100 07/16/2013, RW wrote:
>OTOH when I just tried this in 3.3.2, spamd didn't to pick-up a test
>rule I added to ~/.spamassassin/user_prefs (which worked with the
>spamassassin script).

Do you have allow_user_rules enabled in your local.cf?  According to 
http://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Conf.html#rule_definitions_and_privileged_settings 
... spamd will ignore user rules unless explicitly enabled via 
allow_user_rules.

						--- Amir

Re: Running as root.

Posted by RW <rw...@googlemail.com>.

On Mon, 15 Jul 2013 14:41:08 -0500 (CDT)
David B Funk wrote:

> It uses the Apache model. There is a parent process that runs as root
> to manage the sockets which then forks off children as the "-u" user
> to actually process the messages. If you don't specify the "-u" user
> the children stay as root and it barks at you because it's a potential
> security risk.

The spamd man page says:

   -u username, --username=username
           Run as the named user.  If this option is not set, the
           default behaviour is to setuid() to the user running "spamc",
           if "spamd" is running as root.

so presumably the children would need to start as root to setuid to the
unix user running spamc. The mail would then be scanned as an
unprivileged user whilst retaining access to the user's  home
directory, so it shouldn't be a security problem.

OTOH when I just tried this in 3.3.2, spamd didn't to pick-up a test
rule I added to ~/.spamassassin/user_prefs (which worked with the
spamassassin script).

Re: Running as root.

Posted by David B Funk <db...@engineering.uiowa.edu>.

On Mon, 15 Jul 2013, Jari Fredriksson wrote:

> 15.07.2013 19:51, Benny Pedersen kirjoitti:
>> Christian Dysthe skrev den 2013-07-15 15:16:
>>
>>> Spamassassin runs fine but I have one remaining error message in the
>>> logs:
>>> spamd: still running as root: user not specified with -u
>>
>> spamd uses default port 783, with is below 1024 imho :=)
>>
>> only ports over 1023 can run as daemons without started as root
>>
>> if you like to change the problem, i will say apache does the same
>> problem on port 80, is there any secureity problem with that ?, well
>> apache start as root yes, but it drops priveledges for port 80 when
>> started, if spamd does the same its perfectly ok
>>
> spamd starts as root anyway, then it changes to the given user. I think
> it goes this way.

It uses the Apache model. There is a parent process that runs as root
to manage the sockets which then forks off children as the "-u" user to
actually process the messages. If you don't specify the "-u" user
the children stay as root and it barks at you because it's a potential
security risk.

-- 
Dave Funk                                  University of Iowa
<dbfunk (at) engineering.uiowa.edu>        College of Engineering
319/335-5751   FAX: 319/384-0549           1256 Seamans Center
Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

Re: Running as root.

Posted by Jari Fredriksson <ja...@iki.fi>.

15.07.2013 19:51, Benny Pedersen kirjoitti:
> Christian Dysthe skrev den 2013-07-15 15:16:
>
>> Spamassassin runs fine but I have one remaining error message in the
>> logs:
>> spamd: still running as root: user not specified with -u
>
> spamd uses default port 783, with is below 1024 imho :=)
>
> only ports over 1023 can run as daemons without started as root
>
> if you like to change the problem, i will say apache does the same
> problem on port 80, is there any secureity problem with that ?, well
> apache start as root yes, but it drops priveledges for port 80 when
> started, if spamd does the same its perfectly ok
>
spamd starts as root anyway, then it changes to the given user. I think
it goes this way.

-- 
jarif.bit

Re: Running as root.

Posted by Benny Pedersen <me...@junc.eu>.

Christian Dysthe skrev den 2013-07-15 15:16:

> Spamassassin runs fine but I have one remaining error message in the 
> logs:
> spamd: still running as root: user not specified with -u

spamd uses default port 783, with is below 1024 imho :=)

only ports over 1023 can run as daemons without started as root

if you like to change the problem, i will say apache does the same 
problem on port 80, is there any secureity problem with that ?, well 
apache start as root yes, but it drops priveledges for port 80 when 
started, if spamd does the same its perfectly ok