Bayes* permissions

[Scott Taylor <sc...@dctchambers.com>]

Hello all,

I'm using SA 3.0.2 on RHES3 with $LANG set to en_CA invoked with system
wide configs in '/etc/mail/spamassassin/local.cf' via users .procmailrc
with this recipe:

:0fw: spamassassin.lock
* < 256000
| spamassassin

I've been all over the docs, FAQs, WiKis on the site, but I still can't
figure out why the permissions keep changing on the
'/etc/mail/spamassasin/bayes_*' files.  No matter what I set the
permissions to, which user I change the files to, they eventually end up
with a regular user owning the files and the perms set to -rw-------. 
Then I get 'autolearn=unavailable' in the headers, not sure if one has to
do with the other or just a co-incidence.

Do I need to worry about the permissions on these files?

What could I be doing wrong to make these files change permissions and
owners like this?

Cheers.

--
Scott

Re: Bayes* permissions

[Kris Deugau <kd...@vianet.ca>]

Scott Taylor wrote:
> I was running spamd but spam was being badly missed, so while reading
> docs on the SA site, I ran into that new recipe and now it catches a
> lot more spam.  spamd is running as root, spawned from
> /etc/init.d/spamassasin, 5 times, although I don't know if I need to
> be doing that, doesn't make much sense...

O_o  Truly weird;  barring some strange installation screwup (ie, spamd
is calling code from SA2.6x instead of 3.x), you should see *identical*
scores with both calling methods, except that spamd/spamc is a whole lot
faster and far less likely to cause your system to stall mail
processing.

> OK, but wouldn't 0666 be sufficient?  Why would one want/need to
> execute a DB file?

It's actually more of a sort of bitmask;  SA also uses that setting to
make sure permissions on the directory the bayes_* files are in are
appropriate as well (among other things, it allows anyone to create the
bayes_journal file, which is used to accumulate changes to the main BDB
files in several different contexts).

The _toks and _seen BDB files are actually created with the execute bits
removed.

-kgd
-- 
Get your mouse off of there!  You don't know where that email has been!

Re: Bayes* permissions

[Scott Taylor <sc...@dctchambers.com>]

Kris Deugau said:
> Scott Taylor wrote:

> For a global Bayes db, accessible to all users, you must either:
>
> -> Run spamd as a separate user, make sure the bayes_* files are owned
> by that user, and process mail through SA by calling spamc instead of
> spamassassin;

I was running spamd but spam was being badly missed, so while reading docs
on the SA site, I ran into that new recipe and now it catches a lot more
spam.  spamd is running as root, spawned from /etc/init.d/spamassasin, 5
times, although I don't know if I need to be doing that, doesn't make much
sense...

> or
>
> -> Make sure you have an entry in your local.cf (or other config file)
> to force appropriate permissions.  I use "bayes_file_mode 0777", as I

OK, but wouldn't 0666 be sufficient?  Why would one want/need to execute a
DB file?

Cheers.

--
Scott

Re: Bayes* permissions

[Kris Deugau <kd...@vianet.ca>]

Scott Taylor wrote:
> I'm using SA 3.0.2 on RHES3 with $LANG set to en_CA invoked with
> system wide configs in '/etc/mail/spamassassin/local.cf' via users
> .procmailrc with this recipe:
> 
> :0fw: spamassassin.lock
> * < 256000
> | spamassassin
> 
> I've been all over the docs, FAQs, WiKis on the site, but I still
> can't figure out why the permissions keep changing on the
> '/etc/mail/spamassasin/bayes_*' files.  No matter what I set the
> permissions to, which user I change the files to, they eventually end
> up with a regular user owning the files and the perms set to
> -rw-------.

For a global Bayes db, accessible to all users, you must either:

-> Run spamd as a separate user, make sure the bayes_* files are owned
by that user, and process mail through SA by calling spamc instead of
spamassassin; or

-> Make sure you have an entry in your local.cf (or other config file)
to force appropriate permissions.  I use "bayes_file_mode 0777", as I
have a global Bayes db, but per-user configuration and AWL files.  I
also use spamd/spamc, but I run spamd as root so it can setuid to the
appropriate user for each message.  You may be able to get away with a
mode of 0770, if your users are all in the same group.

You'll probably find that you will also want to adjust some of the other
bayes_* options in your Sa configuration;  man Mail::SpamAssassin::Conf
should have the details for your installed version.

-kgd
-- 
Get your mouse off of there!  You don't know where that email has been!