You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Bill Moseley <mo...@hank.org> on 2006/11/12 17:11:05 UTC

Exim4 / spamd --username question

I'm not clear if I need to run spamd as a specific user or run as root
and use spamd -H <dir>.

This is a single mail server running Debian Stable with the packages
listed below.  SA configuration is system-wide, that is, there's no
user-specific configurations to worry about.

ii  exim4-daemon-h 4.50-8sarge2   exim MTA (v4) daemon with extended features,
ii  pyzor          0.4.0+cvs20030 spam-catcher using a collaborative filtering
ii  razor          2.670-1sarge2  spam-catcher using a collaborative filtering
ii  spamassassin   3.1.3-0bpo1    Perl-based spam filter using text analysis
ii  spamc          3.0.3-2sarge1  Client for SpamAssassin spam filtering daemo
ii  dcc-client     1.2.74-2       Distributed Checksum Clearinghouse - client 
ii  dcc-common     1.2.74-2       Distributed Checksum Clearinghouse - common 

If I (should I?) run spamd as, say, user "spamd" do I have to also
setup exim to run spamc as that user?  It will it not matter what user
is running spamc since spamd can't setuid if not running as root

Also, does the user "spamd" need a home directory, or can I use -H (or
--helper-home-dir) to specify the directory and that will work for any
feature that needs to read/write to the disk?


Currently, I have spamd running as root with the following options:

    OPTIONS="--max-children 5  --max-conn-per-child=20"

In exim4.conf I have:

    deny   message = This message scored $spam_score spam points.
           spam = nobody:true
           condition = ${if >{$spam_score_int}{100}{1}{0}}

Now, correct me if I'm wrong.  Exim is running spamc as user "nobody".
spamd is running as root -- so when Exim passes a message to spamc,
spamd will setuid to nobody.

The home directory for nobody is /nonexistent:

    $ fgrep nobody /etc/passwd
    nobody:x:65534:65534:nobody:/nonexistent:/bin/sh

which causes all sorts of complaints in syslog since /nonexistent is,
well, nonexistent.

I guess why I'm confused is that the Debian install runs spamd as
root, and has the exim config running spamc as nobody with a
non-existent home -- which means spamd can't read/write as needed.

I did see that adding dcc created a "dcc" user in /etc/passwd.


-- 
Bill Moseley
moseley@hank.org

Re: Exim4 / spamd --username question

Posted by Bill Moseley <mo...@hank.org>.

On Sun, Nov 12, 2006 at 11:41:34AM -0600, Stuart Johnston wrote:
> Exim does not actually run spamc, it connects directly to spamd.
> 
> spamd does run as root.  Exim can connect as nobody depending on your 
> configuration.  Generally though, you want to have a writable home 
> directory so it is easiest to create a user for this purpose that Exim 
> can connect as.

I wondered if Exim didn't connect directly to spamd.


You say spamd does run as root, but I was asking about it not running as root.

So, I created a user spamd:

    # adduser --disabled-login spamd

And added the --username=spamd to spamd startup:

    # ps aux | grep spamd
    root     21086 36.8 21.7 115400 111960 ?     Ss   10:53   0:05 /usr/sbin/spamd --max-children 5 --max-conn-per-child=20 --username=spamd -d --pidfile=/home/spamd/spamd.pid
    spamd    21092  0.0 21.7 115400 111968 ?     S    10:54   0:00 spamd child
    spamd    21093  0.5 21.7 115400 111968 ?     S    10:54   0:00 spamd child

I updated my Exim config to use "spamd" as the user:

    deny   message = This message scored $spam_score spam points.
           spam = spamd:true
           condition = ${if >{$spam_score_int}{100}{1}{0}}

Now all is happy, it seems.

Well, except dccproc complains about "Address family not supported".

   cdcc 'IPv6 off'

seems to have fixed that for now.  Just not sure how to make it permanent.






-- 
Bill Moseley
moseley@hank.org

RE: Exim4 / spamd --username question

Posted by Mark <ad...@asarian-host.net>.

> -----Original Message-----
> From: Stuart Johnston [mailto:stuart@ebby.com] 
> Sent: zondag 12 november 2006 18:35
> To: users@spamassassin.apache.org
> Subject: Re: Exim4 / spamd --username question
> 
> 
> 
> Exim does not actually run spamc, it connects directly to
> spamd.

Slightly OT, I guess; but is there actually a documented way of
calling the appropriate Perl module, without using spamc?

Thanks,

- Mark

Re: Exim4 / spamd --username question

Posted by Stuart Johnston <st...@ebby.com>.

Exim does not actually run spamc, it connects directly to spamd.

spamd does run as root.  Exim can connect as nobody depending on your 
configuration.  Generally though, you want to have a writable home 
directory so it is easiest to create a user for this purpose that Exim 
can connect as.

Bill Moseley wrote:
> I'm not clear if I need to run spamd as a specific user or run as root
> and use spamd -H <dir>.
> 
> This is a single mail server running Debian Stable with the packages
> listed below.  SA configuration is system-wide, that is, there's no
> user-specific configurations to worry about.
> 
> ii  exim4-daemon-h 4.50-8sarge2   exim MTA (v4) daemon with extended features,
> ii  pyzor          0.4.0+cvs20030 spam-catcher using a collaborative filtering
> ii  razor          2.670-1sarge2  spam-catcher using a collaborative filtering
> ii  spamassassin   3.1.3-0bpo1    Perl-based spam filter using text analysis
> ii  spamc          3.0.3-2sarge1  Client for SpamAssassin spam filtering daemo
> ii  dcc-client     1.2.74-2       Distributed Checksum Clearinghouse - client 
> ii  dcc-common     1.2.74-2       Distributed Checksum Clearinghouse - common 
> 
> If I (should I?) run spamd as, say, user "spamd" do I have to also
> setup exim to run spamc as that user?  It will it not matter what user
> is running spamc since spamd can't setuid if not running as root
> 
> Also, does the user "spamd" need a home directory, or can I use -H (or
> --helper-home-dir) to specify the directory and that will work for any
> feature that needs to read/write to the disk?
> 
> 
> Currently, I have spamd running as root with the following options:
> 
>     OPTIONS="--max-children 5  --max-conn-per-child=20"
> 
> In exim4.conf I have:
> 
>     deny   message = This message scored $spam_score spam points.
>            spam = nobody:true
>            condition = ${if >{$spam_score_int}{100}{1}{0}}
> 
> Now, correct me if I'm wrong.  Exim is running spamc as user "nobody".
> spamd is running as root -- so when Exim passes a message to spamc,
> spamd will setuid to nobody.
> 
> The home directory for nobody is /nonexistent:
> 
>     $ fgrep nobody /etc/passwd
>     nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
> 
> which causes all sorts of complaints in syslog since /nonexistent is,
> well, nonexistent.
> 
> I guess why I'm confused is that the Debian install runs spamd as
> root, and has the exim config running spamc as nobody with a
> non-existent home -- which means spamd can't read/write as needed.
> 
> I did see that adding dcc created a "dcc" user in /etc/passwd.
> 
>