You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Ryan Steele <st...@agora-net.com> on 2006/08/15 23:12:42 UTC
Spamd not able to drop root privileges at arbitrary times
Greetings all,
I have a bit of a mystery. Recently, I installed spamassassin on a new
server. Everything seems to be working fine, except for one little
hitch. It seems that arbitrarily, spamd is unable to drop root
privileges. Here's the relevant log message:
spamd: still running as root: user not specified with -u, not found, or
set to root, falling back to nobody at /usr/sbin/spamd line 1150,
<GEN1596> line 4.
This generates a few other subsequent errors, but I believe this to be
the crux of the problem. Here's some background information to fill in
the gaps...
I'm invoking spamc from .procmailrc files for each individual user,
which (to my understanding) sends the username and mail message to the
spamd daemon for processing. 95% of the time, spamd is able to drop
root privileges and perform perfectly. It seems that arbitrarily,
however, this error is generated when it is unable to. This happens for
the same user, but I'm not quite sure why sometimes it can drop root
privileges and other times it can't. I've tried placing the -u username
in the call to spamc, with the same results...about 95% success rate,
the rest of the times are those arbitrary cases where it can't drop root
privileges. Also, it is (or might be) important to note that I see no
"setuid to root succeeded" messages in my logs, so either it's being
invoked as root initially, or not at all.
I'll do my best to answer any additional questions, and look forward to
hopefully some helpful pointers!
I'm running:
Debian Sarge
SpamAssassin version 3.1.0
running on Perl version 5.8.4
Thanks in advance.
Best Regards,
Ryan
--
Ryan Steele
Systems Administrator steele@agora-net.com
AgoraNet, Inc. (302) 224-2475
314 E. Main Street, Suite 1 (302) 224-2552 (fax)
Newark, DE 19711 http://www.agora-net.com
Re: Spamd not able to drop root privileges at arbitrary times
Posted by jdow <jd...@earthlink.net>.
How is your procmail invoking spamc? The set of lines defining that
rule might help. It ALMOST sounds like you are missing a lock there.
{^_^}
----- Original Message -----
From: "Ryan Steele" <st...@agora-net.com>
> Theo,
>
> Well, I can verify that the users exist on the server. I'm not sure why
> spamc would be called by root...it's invoked by a .procmailrc, and
> passed the -u flag and given the user name. And it arbitrarily won't
> work for a user that in almost all other instances it *does* work for.
> Before, I had a central box running the spamd daemon, and the three
> boxes that run in parallel would pass the message/username to that
> central box. I've since broken it out, running a spamd daemon on each
> of the three boxes, so that the call is made locally to that respective
> spamd daemon. (This is to help reduce load). Only now am I seeing
> these messages. And like I said, it only happens on one out of every
> maybe 400 messages for any given user. Truly odd... Any other thoughts?
>
> Thanks in advance,
>
> Best Regards,
> Ryan
>
> Theo Van Dinter wrote:
>> On Tue, Aug 15, 2006 at 05:12:42PM -0400, Ryan Steele wrote:
>>
>>> hitch. It seems that arbitrarily, spamd is unable to drop root
>>> privileges. Here's the relevant log message:
>>>
>>> spamd: still running as root: user not specified with -u, not found, or
>>> set to root, falling back to nobody at /usr/sbin/spamd line 1150,
>>> <GEN1596> line 4.
>>>
>>
>> The message generally means that either the user calling spamd doesn't
>> exist on the spamd server, or more likely spamc is being called by root
>> and for security reasons spamd switches to nobody.
Re: Spamd not able to drop root privileges at arbitrary times
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
Ryan Steele wrote:
> Theo,
>
> In the user's .procmailrc file, there is this stanza:
>
> :0fw: spamassassin.lock
> | /usr/bin/spamc -u username -s 128000
>
> But, I have had this problem occur arbitrarily when no -u username is
> specified. I think by the time Exim4 gets to the .procmailrc, it has
> already dropped privileges, so spamc would get called as that user from
> the user's .procmailrc file. But regardless, sometimes spamd can drop
> privileges, and sometimes it can't... a ratio of about 1:400 for
> can't/can. So, I'm not sure if that indicates some sort of problem
> external to spamd or not? I've seen other reports of this around, but
> no solutions. Hope this extra information helps, let me know if you
> need any additional info!
A failure of your system's auth backend could cause this. Are you using
something other than flat file /etc/passwd and /etc/group?
Daryl
Re: Spamd not able to drop root privileges at arbitrary times
Posted by Theo Van Dinter <fe...@apache.org>.
On Wed, Aug 16, 2006 at 12:48:14PM -0400, Ryan Steele wrote:
> But, I have had this problem occur arbitrarily when no -u username is
> specified. I think by the time Exim4 gets to the .procmailrc, it has
> already dropped privileges, so spamc would get called as that user from
> the user's .procmailrc file. But regardless, sometimes spamd can drop
Well, if the mail is destined for a user, sure. What if the mail is destined
for "root@..." ?
--
Randomly Generated Tagline:
"Communist revolutionaries taking over the server room and demanding
all the computers in the building or they shoot the sysadmin."
- Today's BOFH Excuse
Re: Spamd not able to drop root privileges at arbitrary times
Posted by jdow <jd...@earthlink.net>.
This should work and would be more generic. I presume you have
"DROPPRIVS=yes" up near the top of the file. (And once privs are
dropped you don't get them back.) I see that a missing lock is not
the problem, though.
:0fw: spamassassin.lock
| /usr/bin/spamc -u $LOGNAME -s 128000
{^_^}
----- Original Message -----
From: "Ryan Steele" <st...@agora-net.com>
> Theo,
>
> In the user's .procmailrc file, there is this stanza:
>
> :0fw: spamassassin.lock
> | /usr/bin/spamc -u username -s 128000
>
> But, I have had this problem occur arbitrarily when no -u username is
> specified. I think by the time Exim4 gets to the .procmailrc, it has
> already dropped privileges, so spamc would get called as that user from
> the user's .procmailrc file. But regardless, sometimes spamd can drop
> privileges, and sometimes it can't... a ratio of about 1:400 for
> can't/can. So, I'm not sure if that indicates some sort of problem
> external to spamd or not? I've seen other reports of this around, but
> no solutions. Hope this extra information helps, let me know if you
> need any additional info!
>
> Thanks,
> Ryan
>
> Theo Van Dinter wrote:
>> On Wed, Aug 16, 2006 at 09:02:11AM -0400, Ryan Steele wrote:
>>
>>> Well, I can verify that the users exist on the server. I'm not sure why
>>> spamc would be called by root...it's invoked by a .procmailrc, and
>>> passed the -u flag and given the user name. And it arbitrarily won't
>>>
>>
>> How is that username determined? Does root's mail get processed via
>> procmail?
Re: Spamd not able to drop root privileges at arbitrary times
Posted by Ryan Steele <st...@agora-net.com>.
Theo,
In the user's .procmailrc file, there is this stanza:
:0fw: spamassassin.lock
| /usr/bin/spamc -u username -s 128000
But, I have had this problem occur arbitrarily when no -u username is
specified. I think by the time Exim4 gets to the .procmailrc, it has
already dropped privileges, so spamc would get called as that user from
the user's .procmailrc file. But regardless, sometimes spamd can drop
privileges, and sometimes it can't... a ratio of about 1:400 for
can't/can. So, I'm not sure if that indicates some sort of problem
external to spamd or not? I've seen other reports of this around, but
no solutions. Hope this extra information helps, let me know if you
need any additional info!
Thanks,
Ryan
Theo Van Dinter wrote:
> On Wed, Aug 16, 2006 at 09:02:11AM -0400, Ryan Steele wrote:
>
>> Well, I can verify that the users exist on the server. I'm not sure why
>> spamc would be called by root...it's invoked by a .procmailrc, and
>> passed the -u flag and given the user name. And it arbitrarily won't
>>
>
> How is that username determined? Does root's mail get processed via
> procmail?
>
>
--
Ryan Steele
Systems Administrator steele@agora-net.com
AgoraNet, Inc. (302) 224-2475
314 E. Main Street, Suite 1 (302) 224-2552 (fax)
Newark, DE 19711 http://www.agora-net.com
Re: Spamd not able to drop root privileges at arbitrary times
Posted by Theo Van Dinter <fe...@apache.org>.
On Wed, Aug 16, 2006 at 09:02:11AM -0400, Ryan Steele wrote:
> Well, I can verify that the users exist on the server. I'm not sure why
> spamc would be called by root...it's invoked by a .procmailrc, and
> passed the -u flag and given the user name. And it arbitrarily won't
How is that username determined? Does root's mail get processed via
procmail?
--
Randomly Generated Tagline:
"Phenomenal Cosmic Powers, Itty Little Living Space." - Aladdin
Re: Spamd not able to drop root privileges at arbitrary times
Posted by Ryan Steele <st...@agora-net.com>.
Theo,
Well, I can verify that the users exist on the server. I'm not sure why
spamc would be called by root...it's invoked by a .procmailrc, and
passed the -u flag and given the user name. And it arbitrarily won't
work for a user that in almost all other instances it *does* work for.
Before, I had a central box running the spamd daemon, and the three
boxes that run in parallel would pass the message/username to that
central box. I've since broken it out, running a spamd daemon on each
of the three boxes, so that the call is made locally to that respective
spamd daemon. (This is to help reduce load). Only now am I seeing
these messages. And like I said, it only happens on one out of every
maybe 400 messages for any given user. Truly odd... Any other thoughts?
Thanks in advance,
Best Regards,
Ryan
Theo Van Dinter wrote:
> On Tue, Aug 15, 2006 at 05:12:42PM -0400, Ryan Steele wrote:
>
>> hitch. It seems that arbitrarily, spamd is unable to drop root
>> privileges. Here's the relevant log message:
>>
>> spamd: still running as root: user not specified with -u, not found, or
>> set to root, falling back to nobody at /usr/sbin/spamd line 1150,
>> <GEN1596> line 4.
>>
>
> The message generally means that either the user calling spamd doesn't
> exist on the spamd server, or more likely spamc is being called by root
> and for security reasons spamd switches to nobody.
>
>
--
Ryan Steele
Systems Administrator steele@agora-net.com
AgoraNet, Inc. (302) 224-2475
314 E. Main Street, Suite 1 (302) 224-2552 (fax)
Newark, DE 19711 http://www.agora-net.com
Re: Spamd not able to drop root privileges at arbitrary times
Posted by Theo Van Dinter <fe...@apache.org>.
On Tue, Aug 15, 2006 at 05:12:42PM -0400, Ryan Steele wrote:
> hitch. It seems that arbitrarily, spamd is unable to drop root
> privileges. Here's the relevant log message:
>
> spamd: still running as root: user not specified with -u, not found, or
> set to root, falling back to nobody at /usr/sbin/spamd line 1150,
> <GEN1596> line 4.
The message generally means that either the user calling spamd doesn't
exist on the spamd server, or more likely spamc is being called by root
and for security reasons spamd switches to nobody.
--
Randomly Generated Tagline:
"Thinking hard can lead to social problems, such as chess." - Dogbert
Re: Spamd not able to drop root privileges at arbitrary times
Posted by "John D. Hardin" <jh...@impsec.org>.
On Tue, 15 Aug 2006, Ryan Steele wrote:
> spamd: still running as root: user not specified with -u, not found, or
> set to root, falling back to nobody at /usr/sbin/spamd line 1150,
> <GEN1596> line 4.
<aol>Me, too!</aol>
It happens to me pretty regularly. I don't have any per-user configs
set up.
> I'm running:
> Debian Sarge
> SpamAssassin version 3.1.0
> running on Perl version 5.8.4
Linux FC4, SA 3.1.3, Perl 5.8.6
In 3.1.3 it appears to have moved to line #1148.
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The difference is that Unix has had thirty years of technical
types demanding basic functionality of it. And the Macintosh has
had fifteen years of interface fascist users shaping its progress.
Windows has the hairpin turns of the Microsoft marketing machine
and that's all. -- Red Drag Diva
-----------------------------------------------------------------------