auto-whitelist: open of auto-whitelist file failed

[Yves Goergen <no...@unclassified.de>]

Hello,

I have upgraded SpamAssassin from 3.1.8 to 3.2.4 today. First I got 
errors about a "nonexistent" path all the time. Then I added the path to 
the auto_whitelist directory in local.cf. Now I get this error message 
every few seconds:

Apr  4 20:01:36 mond spamd[14283]: auto-whitelist: open of 
auto-whitelist file failed: locker: safe_lock: cannot create lockfile 
/root/.spamassassin/auto-whitelist.mutex: Permission denied

This time, I couldn't find a solution on the web. Here's the directory 
listing:

20:35 root@mond ~/.spamassassin > ls -al
total 516
drwx------   2 root root   4096 Apr  4 16:35 ./
drwxr-xr-x  14 root root   4096 Apr  4 19:03 ../
-rw-------   1 root root  12288 Apr  4 16:42 auto-whitelist
-rw-------   1 root root      6 Apr  4 19:03 auto-whitelist.mutex
-rw-------   1 root root    350 Apr  4 17:42 bayes.mutex
-rw-------   1 root root  24576 Apr  4 17:42 bayes_seen
-rw-------   1 root root 647168 Apr  4 17:42 bayes_toks

What's the problem? Before the upgrade, I removed all traces from SA on 
the system (locate & rm -rf). It was previously installed through CPAN. 
But I don't think that CPAN is that "comprehensive" at all and decided 
not to use it again where I can. This SA was installed from the tarball. 
The /root/.spamassassin directory was created automatically then.

So if it doesn't work out of the box, what can I do next?

-- 
Yves Goergen "LonelyPixel" <no...@unclassified.de>
Visit my web laboratory at http://beta.unclassified.de

Re: auto-whitelist: open of auto-whitelist file failed

[Yves Goergen <no...@unclassified.de>]

> On 06.04.2008 03:26 CE(S)T, Matt Kettler wrote:
>> The "new fangled" way would be to use spamc for learning instead of 
>> sa-learn.

And yes, it's a lot faster I believe.

-- 
Yves Goergen "LonelyPixel" <no...@unclassified.de>
Visit my web laboratory at http://beta.unclassified.de

Re: auto-whitelist: open of auto-whitelist file failed

[Yves Goergen <no...@unclassified.de>]

On 06.04.2008 03:26 CE(S)T, Matt Kettler wrote:
> Yves Goergen wrote:
>>> Just remember to su to that user when running sa-learn.
>> This is getting a problem now! My spamd user has no access on the 
>> mailbox directories from which I am usually learning. What's the 
>> proposed solution for that?

> The "new fangled" way would be to use spamc for learning instead of 
> sa-learn.
> 
> If you start spamd with the --allow-tell parameter, you can the use 
> spamc -L ham, spamc -L spam or spamc -L forget on the message, and it 
> will pass it to spamd for learning.

Thank you again for that. It works almost perfectly. spamc is supposed 
to return a value of 5 or 6 when it's done, but it always returns 0 
(says my script). But I can also live with the message spamc prints out, 
reading that it was successful or the message was already known.

-- 
Yves Goergen "LonelyPixel" <no...@unclassified.de>
Visit my web laboratory at http://beta.unclassified.de

Re: auto-whitelist: open of auto-whitelist file failed

[Matt Kettler <mk...@verizon.net>]

Yves Goergen wrote:
>
>> Just remember to su to that user when running sa-learn.
>
> This is getting a problem now! My spamd user has no access on the 
> mailbox directories from which I am usually learning. What's the 
> proposed solution for that?
Well, there's a couple of ways to deal with that..

The "new fangled" way would be to use spamc for learning instead of 
sa-learn.

If you start spamd with the --allow-tell parameter, you can the use 
spamc -L ham, spamc -L spam or spamc -L forget on the message, and it 
will pass it to spamd for learning.

This way you guarantee that the learning runs as the same user you scan 
as. It's also very slightly faster as you don't have to load a perl 
interpreter instance.

Other ways would be:

Make use of groups to grant the user spamd runs as rights to the 
mailboxes. If all the mailboxes have the same group ownership, or you 
can create a group and set them all to it, then just add that to spamd 
user as a supplemental group.

You could also make use of a root cronjob to copy/chown the files 
somewhere that your learner can get to them.

Both of those last approaches have some limitations and won't work in 
all situations, hence I'd suggest the spamc -L method.. However, I do 
caveat that it's a somewhat new feature and I personally have never 
tested it, but several others do use it.

Re: auto-whitelist: open of auto-whitelist file failed

[Yves Goergen <no...@unclassified.de>]

On 05.04.2008 01:18 CE(S)T, Matt Kettler wrote:
> Spamd will never be able to access anything in /root/. 3.1.8 shouldn't 
> have been able to do so any more than 3.2.4 could, but that might have 
> been a bug..

Must have been a bug, yes.

> If you're always scanning mail as one user, you can create a 
> non-privileged user account and pass that after the -u parameter to 
> either spamd (ie: in your startup script) or to spamc (ie: in your 
> scan-time calls).

Okay, that works. I've created a new user+group with its own home 
directory, moved the .spamassassin directory from /root into there, 
chown'ed it and then started spamd again.

> Just remember to su to that user when running sa-learn.

This is getting a problem now! My spamd user has no access on the 
mailbox directories from which I am usually learning. What's the 
proposed solution for that?

>> What's the problem? Before the upgrade, I removed all traces from SA 
>> on the system (locate & rm -rf). 
> That was probably unnecessary.. SA will blow itself away if it's already 
> present when you go to install it. The only time you run into trouble is 
> if you change the PREFIX, and end up with one installed in /usr/ and the 
> other in /usr/local.

Switching from CPAN to the tarball, I wasn't sure if this would change.

-- 
Yves Goergen "LonelyPixel" <no...@unclassified.de>
Visit my web laboratory at http://beta.unclassified.de

Re: auto-whitelist: open of auto-whitelist file failed

[Matt Kettler <mk...@verizon.net>]

Yves Goergen wrote:
> Hello,
>
> I have upgraded SpamAssassin from 3.1.8 to 3.2.4 today. First I got 
> errors about a "nonexistent" path all the time. Then I added the path 
> to the auto_whitelist directory in local.cf. Now I get this error 
> message every few seconds:
>
> Apr  4 20:01:36 mond spamd[14283]: auto-whitelist: open of 
> auto-whitelist file failed: locker: safe_lock: cannot create lockfile 
> /root/.spamassassin/auto-whitelist.mutex: Permission denied
Spamd will never be able to access anything in /root/. 3.1.8 shouldn't 
have been able to do so any more than 3.2.4 could, but that might have 
been a bug..

If spamd finds itself running as root when it's time to scan mail, it 
will setuid itself to nobody for security.

If you're always scanning mail as one user, you can create a 
non-privileged user account and pass that after the -u parameter to 
either spamd (ie: in your startup script) or to spamc (ie: in your 
scan-time calls).

Just remember to su to that user when running sa-learn.
>
> This time, I couldn't find a solution on the web. Here's the directory 
> listing:
>
> 20:35 root@mond ~/.spamassassin > ls -al
> total 516
> drwx------   2 root root   4096 Apr  4 16:35 ./
> drwxr-xr-x  14 root root   4096 Apr  4 19:03 ../
> -rw-------   1 root root  12288 Apr  4 16:42 auto-whitelist
> -rw-------   1 root root      6 Apr  4 19:03 auto-whitelist.mutex
> -rw-------   1 root root    350 Apr  4 17:42 bayes.mutex
> -rw-------   1 root root  24576 Apr  4 17:42 bayes_seen
> -rw-------   1 root root 647168 Apr  4 17:42 bayes_toks
>
> What's the problem? Before the upgrade, I removed all traces from SA 
> on the system (locate & rm -rf). 
That was probably unnecessary.. SA will blow itself away if it's already 
present when you go to install it. The only time you run into trouble is 
if you change the PREFIX, and end up with one installed in /usr/ and the 
other in /usr/local.

> It was previously installed through CPAN. But I don't think that CPAN 
> is that "comprehensive" at all and decided not to use it again where I 
> can. This SA was installed from the tarball. The /root/.spamassassin 
> directory was created automatically then.
>
> So if it doesn't work out of the box, what can I do next?
Don't use root with spamd :)