On Tue, Nov 26, 2019 at 07:44:11PM +0100, Christian Göttsche wrote: > > They should be owned by debian-spamd:debian-spamd, and have been created as > > such at least as far back at stretch. > On my system they are owned by root, cause spamd runs as root and also > my custom sa-update systemd timer.
spamd runs as root normally, in order to support changing UID to the ID of the user running spamc. This does not require the files under /var/lib/spamassassin to be owned by root. Running sa-update as root is absolutely not something you should do. It is loading untrusted data from possibly malicious/compromised external resources. > > Control: severity -1 important > Even if it is a local configuration issue, the upgrade must not fail > (it may skip or disable things). Your local configuration has broken the spamassassin packages. This is not a spamassassin bug. noah
