You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2007/06/12 14:41:45 UTC
[Bug 5510] New: Can't build spamassassin as root.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5510
Summary: Can't build spamassassin as root.
Product: Spamassassin
Version: SVN Trunk (Latest Devel Version)
Platform: Other
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P5
Component: Building & Packaging
AssignedTo: dev@spamassassin.apache.org
ReportedBy: dan.mcdonald@austinenergy.com
The spamd_optC, spamc_optL, spamd_allow_user_rules, and spamd_plugin tests all
attempt to drop privileges during the "test" phase, but with no user to fall
back on, are unable to create temporary files necessary to complete the tests:
e.g:
[27488] warn: spamd: still running as root: user not specified with -u, not
found, or set to root, falling back to nobody
[27488] warn: spamd: bayes: locker: safe_lock: cannot create tmp lockfile
./log/user_state/bayes.lock.ldap.austin-energy.net.27488 for
./log/user_state/bayes.lock: Permission denied
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5510] some tests fail to run as root due to file ownership in t/log
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5510
------- Additional Comments From jm@jmason.org 2007-06-15 05:22 -------
btw, I've added "t/root_spamd_virtual.t" as a test case for this. Sidney, could
you verify that fails for you?
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5510] [review] some tests fail to run as root due to file ownership in t/log
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5510
jm@jmason.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
------- Additional Comments From jm@jmason.org 2007-06-18 09:19 -------
ok, checked in on 3.2.x:
: jm 142...; svn commit -m "bug 5110: fix test suite to support running as root,
now that spamd will automatically fall back to 'nobody' privs; this was breaking
CPAN installation" t/spamd_allow_user_rules.t t/spamd_plugin.t t/SATest.pm
Sending t/SATest.pm
Sending t/spamd_allow_user_rules.t
Sending t/spamd_plugin.t
Transmitting file data ...
Committed revision 548391.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5510] [review] some tests fail to run as root due to file ownership in t/log
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5510
sidney@sidney.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution| |FIXED
------- Additional Comments From sidney@sidney.com 2007-07-23 02:41 -------
Committed to branch 3.1 revision 558675.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5510] some tests fail to run as root due to file ownership in t/log
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5510
------- Additional Comments From jm@jmason.org 2007-06-15 05:27 -------
anyway, I've applied patch 3989 to SVN trunk:
: jm 247...; svn commit -m "bug 5510: fix test suite to support running as root,
now that spamd will automatically fall back to 'nobody' privs"
Sending t/SATest.pm
Sending t/spamd_allow_user_rules.t
Sending t/spamd_plugin.t
Transmitting file data ...
Committed revision 547650.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5510] some tests fail to run as root due to file ownership in t/log
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5510
jm@jmason.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|Can't build spamassassin as |some tests fail to run as
|root. |root due to file ownership
| |in t/log
Target Milestone|Undefined |3.2.2
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5510] some tests fail to run as root due to file ownership in t/log
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5510
------- Additional Comments From sidney@sidney.com 2007-06-14 21:13 -------
More digging: The underlying variables in the C library are unsigned ints. So
getpwnam returns what is there which looks like 4294967294 even though Apple
puts a -2 in /etc/passwd. Assignments to $< and $> are fine with either
4294967294 or -2, doing the same thing in either case. It is only assignments to
$( and $) that flake out if the number is bigger than the maximum positive 32
bit signed int.
However, POSIX::setgid() works fine to set both the real and effective gid with
one call and it accepts 4294967294.
So I suggest that we replace
$) = "$ugid $ugid"; # effective gid
$( = $ugid; # real gid
with
setgid($ugid);
I'm not expert in this stuff... Does anyone see any problem with using
POSIX::setgid here on other platforms?
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5510] [review] some tests fail to run as root due to file ownership in t/log
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5510
sidney@sidney.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|FIXED |
Status Whiteboard|go |needs 2 votes for 3.1 branch
Target Milestone|3.2.2 |3.1.10
------- Additional Comments From sidney@sidney.com 2007-07-17 05:46 -------
Reopen to target to 3.1.10
Here's my +1 to apply it
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5510] some tests fail to run as root due to file ownership in t/log
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5510
------- Additional Comments From jm@jmason.org 2007-06-15 03:04 -------
(In reply to comment #12)
> More digging: The underlying variables in the C library are unsigned ints. So
> getpwnam returns what is there which looks like 4294967294 even though Apple
> puts a -2 in /etc/passwd. Assignments to $< and $> are fine with either
> 4294967294 or -2, doing the same thing in either case. It is only assignments to
> $( and $) that flake out if the number is bigger than the maximum positive 32
> bit signed int.
this sounds like a perl bug on MacOS X (another one!! what are they doing over
there?)
> However, POSIX::setgid() works fine to set both the real and effective gid with
> one call and it accepts 4294967294.
>
> So I suggest that we replace
>
> $) = "$ugid $ugid"; # effective gid
> $( = $ugid; # real gid
>
> with
> setgid($ugid);
>
> I'm not expert in this stuff... Does anyone see any problem with using
> POSIX::setgid here on other platforms?
it may not be implemented, for one, which would cause a die(). We'd have
to protect it with an eval ' ... ' block.
you'd probably have to do sth like this:
- run the $) / $( assignments in an eval '...' block
- capture errors
- if error =~ /setrgid\(\) not implemented/, then
- run POSIX::setgid(...)
- die if that failed too
however would it be simpler to just do (pseudocode)
if (platform eq MacOS && ($uid = getpwnam($user)) == 4294967294) { $uid = -2; }
if that works, that would be better than attempting to use another syscall
entirely, IMO.
Also I suggest that should be opened as a totally separate bug; it's not caused
by this one, it's just being _exposed_ by the fix.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5510] [review] some tests fail to run as root due to file ownership in t/log
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5510
jm@jmason.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status Whiteboard|needs 2 votes for 3.1 branch|needs 1 for 3.1 branch
------- Additional Comments From jm@jmason.org 2007-07-18 06:36 -------
+1
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5510] [review] some tests fail to run as root due to file ownership in t/log
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5510
spamassassin@dostech.ca changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |blentz@channing-bete.com
------- Additional Comments From spamassassin@dostech.ca 2007-06-18 11:50 -------
*** Bug 5525 has been marked as a duplicate of this bug. ***
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5510] [review] some tests fail to run as root due to file ownership in t/log
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5510
jm@jmason.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|some tests fail to run as |[review] some tests fail to
|root due to file ownership |run as root due to file
|in t/log |ownership in t/log
Status Whiteboard| |needs 2 votes
------- Additional Comments From jm@jmason.org 2007-06-15 05:29 -------
setting this to review state; please vote for inclusion in 3.2.x.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5510] some tests fail to run as root due to file ownership in t/log
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5510
------- Additional Comments From sidney@sidney.com 2007-06-14 19:38 -------
Doing some digging I fond this mentioned as a long-time problem with trying to
run spamd as nobody on MacOS X. Both the uid and gid of 'nobody' on the Mac are
-2 and that seems to confuse things as the spamd sees $ugid as having a value of
4294967294 and then $( = $ugid produces the misleading error message that
setrgid is not implemented.
spamd --virtual-config-dir=somepath -u www
for example executes the $( = $ugid; with no error.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5510] [review] some tests fail to run as root due to file ownership in t/log
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5510
felicity@apache.org changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jerry@fam-lee.com
------- Additional Comments From felicity@apache.org 2007-07-08 18:46 -------
*** Bug 5550 has been marked as a duplicate of this bug. ***
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5510] [review] some tests fail to run as root due to file ownership in t/log
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5510
------- Additional Comments From Mark.Martinec@ijs.si 2007-06-15 08:09 -------
(In reply to comment #13)
Assignments to $< and $> are fine with either 4294967294 or -2
[...] assignments to $( and $) that flake out if the number
is bigger than the maximum positive 32 bit signed int.
>
> this sounds like a perl bug on MacOS X
> However, POSIX::setgid() works fine to set both the real
> and effective gid with
> you'd probably have to do sth like this:
> - run the $) / $( assignments in an eval '...' block
> - capture errors
> - if error =~ /setrgid\(\) not implemented/, then
> - run POSIX::setgid(...)
> - die if that failed too
If POSIX::setgid and POSIX::setuid are available (and I can't think
why they wouldn't be), by all means, use ONLY these, to avoid
all the $<, $>, $( and $) perl crap, which is causing all kinds
of inconsistencies on various platforms. The Net::Server (which
is used by amavisd-new) had a series of problem-reports until
it finally switched to POSIX::setgid and POSIX::setuid.
For illustration (not that I claim it is best), this is what
currently stands in Net::Server::Daemonize.pm:
sub set_uid {
my $uid = get_uid( shift() );
POSIX::setuid($uid);
if ($< != $uid || $> != $uid) { # check $> also (rt #21262)
$< = $> = $uid; # try again-needed by some 5.8.0 linux systems (rt #13450)
if ($< != $uid) {
die "Couldn't become uid \"$uid\": $!\n";
}
}
return 1;
}
sub set_gid {
my $gids = get_gid( @_ );
my $gid = (split /\s+/, $gids)[0];
eval { $) = $gids }; # store all the gids - this is really sort of optional
POSIX::setgid($gid);
if (! grep {$gid == $_} split /\s+/, $() { # look for any valid id in list
die "Couldn't become gid \"$gid\": $!\n";
}
return 1;
}
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5510] some tests fail to run as root due to file ownership in t/log
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5510
------- Additional Comments From spamassassin@dostech.ca 2007-06-14 13:45 -------
I think we need to fix this and cut a release soon. If we aim for Wednesday it
leaves the weekend for anyone who feels like playing whack-a-bug.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5510] some tests fail to run as root due to file ownership in t/log
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5510
------- Additional Comments From dan.mcdonald@austinenergy.com 2007-06-14 16:06 -------
Works on Mandriva Corporate server 4:
t/spamc_optC................ok
t/spamc_optL................ok
t/spamc_y...................ok
t/spamc_z...................ok
t/spamd.....................ok
t/spamd_allow_user_rules....ok
It will take another 10 minutes or so to finish compiling, but this is where it
always broke before.
I'd give it +1, but I don't count.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5510] [review] some tests fail to run as root due to file ownership in t/log
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5510
------- Additional Comments From sidney@sidney.com 2007-07-17 05:44 -------
Created an attachment (id=4050)
--> (http://issues.apache.org/SpamAssassin/attachment.cgi?id=4050&action=view)
same patch against 3.1 branch
Here is the same fix in the form of a patch against the 3.1 branch
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5510] [review] some tests fail to run as root due to file ownership in t/log
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5510
spamassassin@dostech.ca changed:
What |Removed |Added
----------------------------------------------------------------------------
Status Whiteboard|needs 1 for 3.1 branch |go
------- Additional Comments From spamassassin@dostech.ca 2007-07-23 01:36 -------
+1
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5510] some tests fail to run as root due to file ownership in t/log
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5510
jm@jmason.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Severity|normal |major
Priority|P5 |P1
------- Additional Comments From jm@jmason.org 2007-06-14 11:13 -------
this breaks the "sudo cpan Mail::SpamAssassin" style of installation, so is
pretty important :(
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5510] some tests fail to run as root due to file ownership in t/log
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5510
------- Additional Comments From sidney@sidney.com 2007-06-14 19:49 -------
getpwnam('nobody') returns the 4294967294 values instead of -2. If at that point
I force the values of $uuid and $ugid to be -2 then everything seems to work
correctly.
I see some code that appears to recognize the possibility of something like this
if ( $> != $uuid and $> != ( $uuid - 2**32 ) ) {
die "spamd: setuid to uid $uuid failed\n";
}
but I don't really know what is going on with the various tests and workarounds
for BSD-specific behavior so I don't know just how to fix this.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5510] some tests fail to run as root due to file ownership in t/log
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5510
------- Additional Comments From dan.mcdonald@austinenergy.com 2007-06-14 11:20 -------
Another solution is to chmod the directories to world writable before dropping
privs.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5510] some tests fail to run as root due to file ownership in t/log
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5510
------- Additional Comments From jm@jmason.org 2007-06-14 14:35 -------
Created an attachment (id=3989)
--> (http://issues.apache.org/SpamAssassin/attachment.cgi?id=3989&action=view)
fix
I think this may do it... give it a try.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5510] some tests fail to run as root due to file ownership in t/log
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5510
jm@jmason.org changed:
What |Removed |Added
----------------------------------------------------------------------------
OtherBugsDependingO| |5518
nThis| |
------- Additional Comments From jm@jmason.org 2007-06-15 05:22 -------
doh. that was for bug 5518!
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5510] Can't build spamassassin as root.
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5510
------- Additional Comments From jm@jmason.org 2007-06-12 05:54 -------
just to clarify -- this issue happens when the tests are run as root. the test
script should be ensuring that its temp and output dirs are writable by
"nobody", since now part of the spamd tests will run as "nobody" instead of
"root". (in previous versions, there was a security hole whereby they didn't
drop privs when running as root.)
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5510] some tests fail to run as root due to file ownership in t/log
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5510
------- Additional Comments From felicity@apache.org 2007-06-14 11:15 -------
an easy option may be, btw, to skip certain tests if running as root.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5510] [review] some tests fail to run as root due to file ownership in t/log
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5510
spamassassin@dostech.ca changed:
What |Removed |Added
----------------------------------------------------------------------------
Status Whiteboard|needs 1 votes |go
------- Additional Comments From spamassassin@dostech.ca 2007-06-17 20:10 -------
+1
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5510] some tests fail to run as root due to file ownership in t/log
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5510
------- Additional Comments From jm@jmason.org 2007-06-14 14:22 -------
I think I may have a fix nearly ready...
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5510] [review] some tests fail to run as root due to file ownership in t/log
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5510
sidney@sidney.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status Whiteboard|needs 2 votes |needs 1 votes
------- Additional Comments From sidney@sidney.com 2007-06-15 08:14 -------
> If POSIX::setgid and POSIX::setuid are available (and I can't think
> why they wouldn't be), by all means, use ONLY these, to avoid
Martin, I'm going to copy your comment over to bug 5518 where we are continuing
this discussion, and I'll respond there.
As for the proposed patch for this bug that is up for review
I vote +1
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5510] some tests fail to run as root due to file ownership in t/log
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5510
------- Additional Comments From sidney@sidney.com 2007-06-14 18:37 -------
This doesn't work for me in MacOS 10.4.9, but the bug may be something in spamd
that I didn't notice before. This error happens when you try as root to run
spamd --virtual-config-dir=somepath -u nobody
which is what t/spamd_allow_user_rules.t tries to do
[16061] info: spamd: server started on port 48825/tcp (running version
3.2.2-r547235)
[16061] info: spamd: server pid: 16061
[16061] info: spamd: server successfully spawned child process, pid 16065
[16061] dbg: prefork: child 16065: entering state 0
[16061] dbg: prefork: new lowest idle kid: none
[16061] info: spamd: server successfully spawned child process, pid 16066
[16061] dbg: prefork: child 16066: entering state 0
[16061] dbg: prefork: new lowest idle kid: none
[16065] error: setrgid() not implemented at ../spamd/spamd.raw line 1041.
setrgid() not implemented at ../spamd/spamd.raw line 1041.
[16066] error: setrgid() not implemented at ../spamd/spamd.raw line 1041.
setrgid() not implemented at ../spamd/spamd.raw line 1041.
[16061] dbg: prefork: child closed connection
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.