Package: spamassassin Version: 3.2.4-1 Severity: normal Tags: patch I've got a grsecurity-enabled kernel and I am getting the following error in my logs:
kernel: grsec: denied untrusted exec of /var/lib/spamassassin/compiled/3.002004/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so by /usr/bin/spamassassin[spamassassin:6708] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/dash[sh:6707] uid/euid:1000/1000 gid/egid:1000/1000 This is due to the permissions on this directory: $ ls -l /var/lib/spamassassin/compiled/3.002004/Mail/SpamAssassin/ drwxrwxr-x 2 root root 4,0K mar 14 08:42 CompiledRegexps/ If I remove the group writable permission on that directory, then it works fine. So I have patched the cron job that runs sa-compile to do this recursively (see attached patch). Francois P.S. The relevant kernel config option for grsecurity is this: Partially restrict non-root users (GRKERNSEC_TPE_ALL) If you say Y here, All non-root users other than the ones in the group specified in the main TPE option will only be allowed to execute files in directories they own that are not group or world-writable, or in directories owned by root and writable only by root. If the sysctl option is enabled, a sysctl option with name "tpe_restrict_all" is created. -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.23.17-hrt3-grsec (SMP w/2 CPU cores; PREEMPT) Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to fr_CA.utf8) Shell: /bin/sh linked to /bin/dash Versions of packages spamassassin depends on: ii libarchive-tar-perl 1.38-2 manipulate tar files in Perl ii libdigest-sha1-perl 2.11-2 NIST SHA-1 message digest algorith ii libhtml-parser-perl 3.56-1 A collection of modules that parse ii libio-zlib-perl 1.09-1 IO:: style interface to gzip/zlib ii libnet-dns-perl 0.63-1 Perform DNS queries from a Perl sc ii libsocket6-perl 0.19-1 Perl extensions for IPv6 ii libsys-hostname-long-perl 1.4-1 Figure out the long (fully-qualifi ii libwww-perl 5.808-1 WWW client/server library for Perl ii perl 5.8.8-12 Larry Wall's Practical Extraction Versions of packages spamassassin recommends: ii gcc 4:4.2.2-2 The GNU C compiler ii gnupg 1.4.6-2.1 GNU privacy guard - a free PGP rep ii libc6-dev 2.7-9 GNU C Library: Development Librari ii libmail-spf-perl 2.005-1 Perl implementation of Sender Poli pn libsys-syslog-perl <none> (no description available) ii make 3.81-3 The GNU version of the "make" util ii re2c 0.12.1-1 tool for generating fast C-based r ii spamc 3.2.4-1 Client for SpamAssassin spam filte -- no debconf information
--- spamassassin 2008-03-14 11:25:49.000000000 +1300 +++ spamassassin.new 2008-03-14 11:25:43.000000000 +1300 @@ -32,6 +32,7 @@ # Compile, if rules have previously been compiled, and it's possible if [ -x /usr/bin/re2c -a -x /usr/bin/sa-compile -a -d /var/lib/spamassassin/compiled ]; then sa-compile > /dev/null 2>&1 + chmod -R go-w /var/lib/spamassassin/compiled fi # Reload
