Gene, how many times has a machine you've setup been rootkitted lately?
Are you asking us to help you setup another one?
{^_-}
----- Original Message -----
From: "Gene Heskett" <[EMAIL PROTECTED]>
To: <users@spamassassin.apache.org>
Sent: 2005 December, 14, Wednesday 18:24
Subject: Re: perm probs with SA (repost as gmail accnt didn't get there)
On Wednesday 14 December 2005 02:11, Matt Kettler wrote:
At 01:34 AM 12/14/2005, Gene Heskett wrote:
Now, pursuant to someone elses advice, I've got those directories,
both /root/.spamassassin and /etc/mail/spamassasin have been
subjected to a chown -R spamd:spamd, but the perms problems
continue, and this frigging paypal/ebay phishing is coming in at
about 200 copies a day.
Gene, are you using /root/ as the homedir for your spamd user?
No, its spamd that useing /root because its running as root and totally
ignoreing the -u spamd in its launching options. I got another idea,
in the /etc/init.d/spamd script, I'm going to put an su -c
"command"$options in it and see if that works.
There has to be some way to make spamd run as the user spamd. OTOH, if
I as root, do an su spamd, then I don't have permissions to read, let
alone write to my home dir, /home/spamd!
[EMAIL PROTECTED] spamd]$ ls
[EMAIL PROTECTED] spamd]$ pwd
/home/spamd
[EMAIL PROTECTED] spamd]$
But:
[EMAIL PROTECTED] .spamassassin]# whoami
root
[EMAIL PROTECTED] .spamassassin]# su spamd
[EMAIL PROTECTED] .spamassassin]$ ls
ls: .: Permission denied
[EMAIL PROTECTED] .spamassassin]$ pwd
/home/spamd/.spamassassin
Fortunately unix is protecting you from yourself here. Your effort
to give spamd rights to /root/.spammassassin is foolish and outright
dangerous.
No doubt, but I'm just trying to figure out two things.
1. Why won't spamd run as the user spamd
2. Why can't the user spamd see, read or write to his own home dir?
Since spamd has no rights to /root, it can't read
/root/.spamassassin. But stop trying to give spamd any rights to
root's homedir. It's a dangerous game. You really don't want it to
have any rights to these files.
Make sure the spamd user has it's OWN homedir in /home/spamd, or some
such thing.
It does, and its contents are now a copy of /etc/mail/spamassassin, as
follows:
Well, I was gonna show you, but while root can see all of it, spamd is
effectively blind, see above.
Make sure the /etc/passwd entry for the spamd user reflects this, and
if it doesn't make use of usermod or similar tools to change it.
From /etc/passwd:
spamd:x:1002:1002::/home/spamd:/bin/bash
From /etc/group:
spamd:x:1002:
At that point spamd should start reading from
/home/spamd/.spamassassin, and not /root/.spamassasin. If it
persists, there's a bug in SA.
File it.
Be sure to chown -R /root/.spamassassin back to root's ownership
ASAP, as that's a bit dangerous and could lead to a privilege
escalation attack, were spamd actually able to make use of it (which
fortunately it can't).
Done. The whole /root tree even.
I'd also suggest chowning /etc/mail/spamassassin back into root's
ownership. The spamd user has no need for ownership rights over this
directory, it only needs to be able to read and list files in it
(world r_x for the directories, r__ for the files)
chown done. And those files with write got a chmod 0644.
In /home, the spamd subdir needs fixed though, its not group and world
readable, and the dir wasn't even executable to the user spamd. Fixed
all that. But after yet another spamd restart, htop says it is still
running as root, but the messages log argues with that:
Dec 14 21:03:28 coyote su(pam_unix)[28992]: session opened for user
spamd by root(uid=0)
Dec 14 21:05:50 coyote su(pam_unix)[28992]: session closed for user
spamd
Dec 14 21:06:22 coyote spamd: spamd shutdown succeeded
Dec 14 21:06:24 coyote spamd: spamd startup succeeded
Htop is lieing to me? Sure looks like it. Now go see what the tail on
the maillog says:
It shows none of those errors on the last 3 mail fetches. And then its
back again:
Dec 14 21:12:02 coyote spamd[29107]: spamd: connection from
localhost.localdomain [127.0.0.1] at port 46775
Dec 14 21:12:02 coyote spamd[29107]: spamd: creating
default_prefs: /root/.spamassassin/user_prefs
Dec 14 21:12:02 coyote spamd[29107]: config: cannot write
to /root/.spamassassin/user_prefs: Permission denied
Dec 14 21:12:02 coyote spamd[29107]: spamd: failed to create readable
default_prefs: /root/.spamassassin/user_prefs
Dec 14 21:12:02 coyote spamd[29107]: spamd: processing message
<[EMAIL PROTECTED]> for
root:1002
Dec 14 21:12:02 coyote spamd[29107]: Can't locate IP/Country/Fast.pm in
@INC (@INC
contains: ../lib /usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi
/usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/5.8.3/i386-linux-thread-multi
/usr/lib/perl5/5.8.3 /usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.2
/usr/lib/perl5/site_perl/5.8.1 /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl
/usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi
/usr/lib/perl5/vendor_perl/5.8.2/i386-linux-thread-multi
/usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi
/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.3
/usr/lib/perl5/vendor_perl/5.8.2 /usr/lib/perl5/vendor_perl/5.8.1
/usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl)
at /usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/Plugin/RelayCountry.pm
line 66, <GEN32> line 114.
Dec 14 21:12:03 coyote spamd[29107]: locker: safe_lock: cannot create
tmp
lockfile /root/.spamassassin/auto-whitelist.lock.coyote.coyote.den.29107
for /root/.spamassassin/auto-whitelist.lock: Permission denied
Dec 14 21:12:03 coyote spamd[29107]: auto-whitelist: open of
auto-whitelist file failed: locker: safe_lock: cannot create tmp
lockfile /root/.spamassassin/auto-whitelist.lock.coyote.coyote.den.29107
for /root/.spamassassin/auto-whitelist.lock: Permission denied
Dec 14 21:12:03 coyote spamd[29107]: Can't call method "finish" on an
undefined value
at /usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/Plugin/AWL.pm line
397, <GEN32> line 114.
Dec 14 21:12:03 coyote spamd[29107]: spamd: clean message (0.3/5.0) for
root:1002 in 0.4 seconds, 5594 bytes.
Dec 14 21:12:03 coyote spamd[29107]: spamd: result: . 0 -
MAILTO_TO_SPAM_ADDR
scantime=0.4,size=5594,user=root,uid=1002,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=46775,mid=<[EMAIL
PROTECTED]>,autolearn=no
Dec 14 21:12:03 coyote spamd[29103]: prefork: child states: IBI
Dec 14 21:12:03 coyote spamd[29103]: prefork: child states: III
Dec 14 21:12:03 coyote spamd[29103]: prefork: child states: IIK
Dec 14 21:12:03 coyote spamd[29103]: spamd: handled cleanup of child
pid 29246 due to SIGCHLD
Dec 14 21:12:03 coyote spamd[29103]: prefork: select returned error on
server filehandle:
File the bug. This is ridiculous. Or tell me what else to fix if
there are clues in the other errors reported above that have anything
to do with this.
--
Cheers, Gene
People having trouble with vz bouncing email to me should use this
address: <[EMAIL PROTECTED]> which bypasses vz's
stupid bounce rules. I do use spamassassin too. :-)
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2005 by Maurice Eugene Heskett, all rights reserved.
