[Bug 1373560] Re: /etc/cron.daily/spamassassin calls sa-update with potentially incorrect umask
I ran into this bug as well and checked if it's also present in Debian. It appears that from spamassassin 3.4.0-2 the relevant code is: # Update umask 022 env -i LANG=$LANG PATH=$PATH start-stop-daemon \ --chuid debian-spamd:debian-spamd --start \ --exec /usr/bin/sa-update -- \ --gpghomedir /var/lib/spamassassin/sa-update-keys 21 When using start-stop-daemon to invoke sa-update the umask is not changed, so updating to this version will fix the bug. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to spamassassin in Ubuntu. https://bugs.launchpad.net/bugs/1373560 Title: /etc/cron.daily/spamassassin calls sa-update with potentially incorrect umask To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/spamassassin/+bug/1373560/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1373560] Re: /etc/cron.daily/spamassassin calls sa-update with potentially incorrect umask
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: spamassassin (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to spamassassin in Ubuntu. https://bugs.launchpad.net/bugs/1373560 Title: /etc/cron.daily/spamassassin calls sa-update with potentially incorrect umask To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/spamassassin/+bug/1373560/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1373560] Re: /etc/cron.daily/spamassassin calls sa-update with potentially incorrect umask
I'm hitting this on mailservers which runs with system wide umask of 007, set in /etc/profile. After /etc/cron.daily/spamassassin has run, and the first email is processed, amavis will shut down, since it cant' read /var/lib/spamassassin/3.004000/updates_spamassassin_org.cf resulting in an uppile in postfix's defferred queue. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to spamassassin in Ubuntu. https://bugs.launchpad.net/bugs/1373560 Title: /etc/cron.daily/spamassassin calls sa-update with potentially incorrect umask To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/spamassassin/+bug/1373560/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1373560] Re: /etc/cron.daily/spamassassin calls sa-update with potentially incorrect umask
In my opinion, amavis's ability to read the ruleset created by sa-update should not rely on the default umask being in effect when sa-update was run. Agreed. I just wanted to understand the proportion of users who might be affected. This needs to be investigated in Debian. ** Changed in: spamassassin (Ubuntu) Importance: Undecided = Medium -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to spamassassin in Ubuntu. https://bugs.launchpad.net/bugs/1373560 Title: /etc/cron.daily/spamassassin calls sa-update with potentially incorrect umask To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/spamassassin/+bug/1373560/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 1373560] Re: /etc/cron.daily/spamassassin calls sa-update with potentially incorrect umask
On 09/26/2014 08:21, Robie Basak wrote: In my opinion, amavis's ability to read the ruleset created by sa-update should not rely on the default umask being in effect when sa-update was run. Agreed. I just wanted to understand the proportion of users who might be affected. This needs to be investigated in Debian. Thank you. I don't know if it's relevant, but this problem was not present on 12.04LTS and only appeared after I upgraded to 14.04LTS. If I can do anything else to help, let me know. Roger ** Changed in: spamassassin (Ubuntu) Importance: Undecided = Medium -- You received this bug notification because you are subscribed to the bug report. https://bugs.launchpad.net/bugs/1373560 Title: /etc/cron.daily/spamassassin calls sa-update with potentially incorrect umask Status in ???spamassassin??? package in Ubuntu: New Bug description: ubuntu 14.04.1 LTS Packages: spamassassin (3.4.0-1ubuntu1) amavisd-new (1:2.7.1-2ubuntu3) This report has to do with a problem between the interaction of the spamassassin and amavisd-new packages, but the problem is with /etc/cron.daily/spamassassin. /etc/cron.daily/spamassassin executes the following line: su - debian-spamd -c sa-update --gpghomedir /var/lib/spamassassin/sa- update-keys Since su is invoked with the - option, sa-update executes with the default umask of user debian-spamd. In my case that is 007, causing the updated rules , i.e. /var/lib/spamassassin/3.004000/updates_spamassassin_org.cf and /var/lib/spamassassin/3.004000/updates_spamassassin_org/*, to be created with no read access for other. When amavis is restarted, it is unable to read the spamassassin rules, and consequently spamassassin rule checks are not performed on received mail. It appears someone attempted to correct this by adding the line: umask 022 immediately above the call to su mentioned above. This in ineffectual however due to su being called with -. A fix is to change the above su call to this line: su - debian-spamd -c umask 022; sa-update --gpghomedir /var/lib/spamassassin/sa-update-keys A file with the output of 'ubuntu-bug --save=/tmp/sa-bug spamassassin' is attached. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/spamassassin/+bug/1373560/+subscriptions -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to spamassassin in Ubuntu. https://bugs.launchpad.net/bugs/1373560 Title: /etc/cron.daily/spamassassin calls sa-update with potentially incorrect umask To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/spamassassin/+bug/1373560/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1373560] Re: /etc/cron.daily/spamassassin calls sa-update with potentially incorrect umask
Thank you for taking the time to report this bug and helping to make Ubuntu better. Is your umask 007 because you changed the system default? I'm asking to understand whether this will affect all spamassassin/sa-update/amavisd users by default, or if it only affects others who have changed their system umask. spamassassin is maintained in Debian, so to make progress on this bug somebody needs to verify if Debian is affected by this problem and if it is then to report a bug in the Debian bug tracking system if there isn't a bug there already. ** Tags added: needs-upstream-report -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to spamassassin in Ubuntu. https://bugs.launchpad.net/bugs/1373560 Title: /etc/cron.daily/spamassassin calls sa-update with potentially incorrect umask To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/spamassassin/+bug/1373560/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 1373560] Re: /etc/cron.daily/spamassassin calls sa-update with potentially incorrect umask
I don't recall for sure, but I have 'UMASK 077' in /etc/login.defs and believe the default is 022, so I probably have changed the default. I also have 'USERGROUPS_ENAB yes', resulting in a mask of 007 for the debian-spamd account. In my opinion, amavis's ability to read the ruleset created by sa-update should not rely on the default umask being in effect when sa-update was run. I doubt it uncommon for a user to change that default. Instead, set the umask explicitly before running sa-update so the rules are world readable. If this is safe, i.e., not a security issue, it would not hurt even if someone were to install spamassassin without installing amavisd-new. On 09/25/2014 12:04, Robie Basak wrote: Thank you for taking the time to report this bug and helping to make Ubuntu better. Is your umask 007 because you changed the system default? I'm asking to understand whether this will affect all spamassassin/sa-update/amavisd users by default, or if it only affects others who have changed their system umask. spamassassin is maintained in Debian, so to make progress on this bug somebody needs to verify if Debian is affected by this problem and if it is then to report a bug in the Debian bug tracking system if there isn't a bug there already. ** Tags added: needs-upstream-report -- You received this bug notification because you are subscribed to the bug report. https://bugs.launchpad.net/bugs/1373560 Title: /etc/cron.daily/spamassassin calls sa-update with potentially incorrect umask Status in ???spamassassin??? package in Ubuntu: New Bug description: ubuntu 14.04.1 LTS Packages: spamassassin (3.4.0-1ubuntu1) amavisd-new (1:2.7.1-2ubuntu3) This report has to do with a problem between the interaction of the spamassassin and amavisd-new packages, but the problem is with /etc/cron.daily/spamassassin. /etc/cron.daily/spamassassin executes the following line: su - debian-spamd -c sa-update --gpghomedir /var/lib/spamassassin/sa- update-keys Since su is invoked with the - option, sa-update executes with the default umask of user debian-spamd. In my case that is 007, causing the updated rules , i.e. /var/lib/spamassassin/3.004000/updates_spamassassin_org.cf and /var/lib/spamassassin/3.004000/updates_spamassassin_org/*, to be created with no read access for other. When amavis is restarted, it is unable to read the spamassassin rules, and consequently spamassassin rule checks are not performed on received mail. It appears someone attempted to correct this by adding the line: umask 022 immediately above the call to su mentioned above. This in ineffectual however due to su being called with -. A fix is to change the above su call to this line: su - debian-spamd -c umask 022; sa-update --gpghomedir /var/lib/spamassassin/sa-update-keys A file with the output of 'ubuntu-bug --save=/tmp/sa-bug spamassassin' is attached. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/spamassassin/+bug/1373560/+subscriptions -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to spamassassin in Ubuntu. https://bugs.launchpad.net/bugs/1373560 Title: /etc/cron.daily/spamassassin calls sa-update with potentially incorrect umask To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/spamassassin/+bug/1373560/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
