You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Ori Bani <or...@gmail.com> on 2011/04/03 22:30:44 UTC

local.cf permissions

Hello,

  From what I can tell, it is common to have local.cf permissions/ownership as

root:root 644 (rw-r--r--)

  But I have some database passwords (bayes, awl) in that file and
would like NOT to have world read permissions on that file.

  I'm not entirely sure what process reads that file and what user
that process runs as, so I hope that's an easy question you can answer
for me.  Is there any ownership or permissions combination that is
more restrictive than the above?  Does it really need to be world
readable?

Thank you!

Re: local.cf permissions

Posted by Sahil Tandon <sa...@FreeBSD.org>.

On Sun, 2011-04-03 at 14:38:49 -0700, Ori Bani wrote:

> On Sun, Apr 3, 2011 at 2:08 PM, Sahil Tandon <sa...@freebsd.org> wrote:
> > On Sun, 2011-04-03 at 13:30:44 -0700, Ori Bani wrote:
> >
> >> From what I can tell, it is common to have local.cf
> >> permissions/ownership as
> >>
> >> root:root 644 (rw-r--r--)
> >>
> >> But I have some database passwords (bayes, awl) in that file and would
> >> like NOT to have world read permissions on that file.
> >>
> >> I'm not entirely sure what process reads that file and what user that
> >> process runs as, so I hope that's an easy question you can answer for
> >> me.  Is there any ownership or permissions combination that is more
> >> restrictive than the above?  Does it really need to be world readable?
> >
> > You've asked a few different questions; the answer to the last one is
> > 'no'.
> 
> Can you elaborate?  The systemwide local.cf
> (/etc/mail/spamassassin/local.cf) where my database passwords are
> located seems to need to be world readable according to docs I've read
> on the web (so that each user gets the default settings in that file I
> think).  So how can I preserve that functionality without having
> global read permission on that file?

My permissions for local.cf are:

-rw-r-----

And I've had no problems for several years now.  How do you reconcile
that with what you've read 'on the web'?  Different situations and needs
will merit different solutions.  Your question was general and received
a general response. :)

-- 
Sahil Tandon <sa...@FreeBSD.org>

Re: local.cf permissions

Posted by Ori Bani <or...@gmail.com>.

On Sun, Apr 3, 2011 at 2:08 PM, Sahil Tandon <sa...@freebsd.org> wrote:
> On Sun, 2011-04-03 at 13:30:44 -0700, Ori Bani wrote:
>
>> From what I can tell, it is common to have local.cf
>> permissions/ownership as
>>
>> root:root 644 (rw-r--r--)
>>
>> But I have some database passwords (bayes, awl) in that file and would
>> like NOT to have world read permissions on that file.
>>
>> I'm not entirely sure what process reads that file and what user that
>> process runs as, so I hope that's an easy question you can answer for
>> me.  Is there any ownership or permissions combination that is more
>> restrictive than the above?  Does it really need to be world readable?
>
> You've asked a few different questions; the answer to the last one is
> 'no'.

Can you elaborate?  The systemwide local.cf
(/etc/mail/spamassassin/local.cf) where my database passwords are
located seems to need to be world readable according to docs I've read
on the web (so that each user gets the default settings in that file I
think).  So how can I preserve that functionality without having
global read permission on that file?

Re: local.cf permissions

Posted by Sahil Tandon <sa...@FreeBSD.org>.

On Sun, 2011-04-03 at 13:30:44 -0700, Ori Bani wrote:

> From what I can tell, it is common to have local.cf
> permissions/ownership as
> 
> root:root 644 (rw-r--r--)
> 
> But I have some database passwords (bayes, awl) in that file and would
> like NOT to have world read permissions on that file.
> 
> I'm not entirely sure what process reads that file and what user that
> process runs as, so I hope that's an easy question you can answer for
> me.  Is there any ownership or permissions combination that is more
> restrictive than the above?  Does it really need to be world readable?

You've asked a few different questions; the answer to the last one is
'no'.

-- 
Sahil Tandon <sa...@FreeBSD.org>

Re: local.cf permissions

Posted by Ori Bani <or...@gmail.com>.

>>> I played with it and set /etc/mail/spamassassin/local.cf to:
>>>
>>> root:root 600 (rw-------)
>>
>> updates will reset it to 644

Really?  Doesn't that depend on delivery method (yum, apt-get, etc)?
Permissions get reset?  But custom changes *inside* that file will be
preserved, won't they?

> ...so create /etc/mail/spamassassin/passwords.cf root:root 600 and put just
> the sensitive entries in it.

Ah!  So any .cf file in /etc/mail/spamassassin will automatically be
read upon startup (similar to Apache's conf.d directory)?  That's very
handy.

>> In what environments does the systemwide local.cf need to be
>> world readable???
>
> Ones where any user can run spamassassin (vs. spamc) and have it work fully.

Ah, thank you.

> If you say "only spamc is supported" as an administrative rule, and you
> protect your sensitive data as above, you're probably good.

Thanks much John and Benny!

Re: local.cf permissions

Posted by John Hardin <jh...@impsec.org>.

On Mon, 4 Apr 2011, Benny Pedersen wrote:

> On Sun, 3 Apr 2011 15:16:06 -0700, Ori Bani <or...@gmail.com> wrote:
>
>> I played with it and set /etc/mail/spamassassin/local.cf to:
>>
>> root:root 600 (rw-------)
>
> updates will reset it to 644

...so create /etc/mail/spamassassin/passwords.cf root:root 600 and put 
just the sensitive entries in it.

On Sun, 3 Apr 2011, Ori Bani wrote:

> In what environments does the systemwide local.cf need to be
> world readable???

Ones where any user can run spamassassin (vs. spamc) and have it work 
fully.

If you say "only spamc is supported" as an administrative rule, and you 
protect your sensitive data as above, you're probably good.

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   Ignorance is no excuse for a law.
-----------------------------------------------------------------------
  10 days until Thomas Jefferson's 268th Birthday

Re: local.cf permissions

Posted by Benny Pedersen <me...@junc.org>.

On Sun, 3 Apr 2011 15:16:06 -0700, Ori Bani <or...@gmail.com> wrote:

> I played with it and set /etc/mail/spamassassin/local.cf to:
> 
> root:root 600 (rw-------)

updates will reset it to 644

> And it seems to work fine in simple testing.

spamd starts as root and drop privileges when local.cf is readed into mem

> So even though it's not readable by the "maildrop" user that spamd
> runs as, it still works.  Why is that?  Does spamd start as root and
> read system-wide local.cf before changing to the user indicated by the
> -u flag?

if maildrop have a homedir, then its user_prefs is also readed, but i have
not needed to use local.cf to have passwords still :)

Re: local.cf permissions

Posted by Ori Bani <or...@gmail.com>.

On Sun, Apr 3, 2011 at 2:38 PM, Benny Pedersen <me...@junc.org> wrote:
> On Sun, 3 Apr 2011 13:30:44 -0700, Ori Bani <or...@gmail.com> wrote:
>>   From what I can tell, it is common to have local.cf
>>   permissions/ownership as
>>
>> root:root 644 (rw-r--r--)
>
> correct
>
>> But I have some database passwords (bayes, awl) in that file and
>> would like NOT to have world read permissions on that file.
>
> put this passwords in user_prefs for that user that the deamond runs as
> and make it only readeable by this user
>
> for amavisd its
>
> chown vscan user_prefs
> chmod 0600 user_prefs
>
> in vscan homedir
> cd ~vscan
> cd .spamassassin
>
> put the user_prefs there

Well I call spamc/spamd from courier maildrop.  So my spamd startup
options use the -u flag to run it as the user "maildrop".  That's only
a system account and I'd rather not create user prefs for that user if
possible (but will if I have to).

I played with it and set /etc/mail/spamassassin/local.cf to:

root:root 600 (rw-------)

And it seems to work fine in simple testing.

So even though it's not readable by the "maildrop" user that spamd
runs as, it still works.  Why is that?  Does spamd start as root and
read system-wide local.cf before changing to the user indicated by the
-u flag?

If that's the case, wouldn't it do that no matter how you're using
spamd?  In what environments does the systemwide local.cf need to be
world readable???

Re: local.cf permissions

Posted by Benny Pedersen <me...@junc.org>.

On Sun, 3 Apr 2011 13:30:44 -0700, Ori Bani <or...@gmail.com> wrote:
>   From what I can tell, it is common to have local.cf
>   permissions/ownership as
> 
> root:root 644 (rw-r--r--)

correct

> But I have some database passwords (bayes, awl) in that file and
> would like NOT to have world read permissions on that file.

put this passwords in user_prefs for that user that the deamond runs as
and make it only readeable by this user

for amavisd its

chown vscan user_prefs
chmod 0600 user_prefs

in vscan homedir
cd ~vscan
cd .spamassassin

put the user_prefs there

sorry by my bad english, but its what i have done in long time to secure
it