FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 07-18-2008, 10:26 AM
Hywel Richards
 
Default Spamassassin as root and pyzor

I've just set up a new mailserver using Centos5.2
(sendmail+clamav-milter+spamass-milter).


I'm using the spamass-milter package from rpmforge
(spamass-milter-0.3.1-1.el5.rf).


I notice that the default setup is to run it as root. I set up my
previous mailserver on Centos4, and I can't remember if I did anything
special, but on that machine it runs as user "sa-milt".


Is it safe/recommended to run spamass-milter as root? Does it in fact
shed the root privileges or something like that when it actually does
some processing anyway? Are there good reasons why I should leave it run
as root (besides it being the least effort option)? I found a few
discussions on this topic on the web but I have ended up confused and
would appreciate some advice.


Ideally I would like a link to a webpage entitled "How I learnt to stop
worrying and run spamass-milter as root".


Also, a related question: is it worth installing pyzor, or will
spamassassin on its own be enough? I ask because pyzor doesn't seem to
be in any of the main repositories.


Thanks in advance,
Hywel.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-18-2008, 02:37 PM
Paul Heinlein
 
Default Spamassassin as root and pyzor

On Fri, 18 Jul 2008, Hywel Richards wrote:

I've just set up a new mailserver using Centos5.2
(sendmail+clamav-milter+spamass-milter).


I'm using the spamass-milter package from rpmforge
(spamass-milter-0.3.1-1.el5.rf).


I notice that the default setup is to run it as root. I set up my
previous mailserver on Centos4, and I can't remember if I did
anything special, but on that machine it runs as user "sa-milt".


Is it safe/recommended to run spamass-milter as root? Does it in
fact shed the root privileges or something like that when it
actually does some processing anyway? Are there good reasons why I
should leave it run as root (besides it being the least effort
option)? I found a few discussions on this topic on the web but I
have ended up confused and would appreciate some advice.


The milter has to pass the "-c username" option to spamc. I'm not sure
if SpamAssassin would be able to read per-user configs unless the
milter user had permission to launch spamc in setuid mode.


Also, if you use the "-x" option to expand aliases, the milter has to
call "sendmail -bv" -- an operation the requires root or TrustedUser
privileges.


The ClamAV milter runs as user "clamav," but it doesn't have any
setuid code because there are no per-user settings.


--
Paul Heinlein <> heinlein@madboa.com <> http://www.madboa.com/
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-20-2008, 09:34 PM
"Spiro Harvey, Knossos Networks Ltd"
 
Default Spamassassin as root and pyzor

Ideally I would like a link to a webpage entitled "How I learnt to stop
worrying and run spamass-milter as root".


We've got a few boxen running spamd as non-privileged user, but
spamassassin milter runs as root with no problems.


On the flip-side to your query, I haven't found anything that states
spamass milter shouldn't be run as root.


Also, a related question: is it worth installing pyzor, or will
spamassassin on its own be enough? I ask because pyzor doesn't seem to
be in any of the main repositories.


Don't know about Pyzor specifically, but we use Vipal's Razor with
success. Our situation is that we're an ISP, so we like the extra
checking to be as absolutely sure as possible that we're only rejecting
real spam. of course a few spams still trickle through but we haven't
had a single false positive.


--
Spiro Harvey Knossos Networks Ltd
021-295-1923 www.knossos.net.nz

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-25-2008, 10:46 AM
Hywel Richards
 
Default Spamassassin as root and pyzor

First, many thanks to Paul and Spiro for your help with this.

Spiro Harvey, Knossos Networks Ltd wrote:
Ideally I would like a link to a webpage entitled "How I learnt to
stop worrying and run spamass-milter as root".


We've got a few boxen running spamd as non-privileged user, but
spamassassin milter runs as root with no problems.


On the flip-side to your query, I haven't found anything that states
spamass milter shouldn't be run as root.


I eventually did run into problems running spamass-milter as root in
that spamd tried to run as "nobody" which has a homedir as "/", and of
course could not find any configs and could not set lockfiles, etc.


E.g. from my maillog:
Jul 21 11:46:15 elbrus spamd[12517]: spamd: still running as root:
user not specified with -u, not found, or set to root, falling back to
nobody
Jul 21 11:46:15 elbrus spamd[12517]: spamd: processing message
<alpine.LRH.1.10.0807211145440.21127> for root:99
Jul 21 11:46:16 elbrus spamd[12517]: auto-whitelist: open of
auto-whitelist file failed: locker: safe_lock: cannot create tmp
lockfile /.spamassassin/auto-whitelist.lock.elbrus.12517 for
/.spamassassin/auto-whitelist.lock: No such file or directory


So I created a new sa-milt user (with a suitable home directory) and
used that (fixed the spamass-milter init script to do "daemon --user").
Running the milter as "sa-milt" seems to cause spamd to run as
"sa-milt". It meant a bit of hassle relocating the socket to a sa-milt
owned directory, etc, but at least it does seem to work now. Perhaps it
would be more appropriate for the spamass-milter package to come like this?
Also, a related question: is it worth installing pyzor, or will
spamassassin on its own be enough? I ask because pyzor doesn't seem
to be in any of the main repositories.


Don't know about Pyzor specifically, but we use Vipal's Razor with
success. Our situation is that we're an ISP, so we like the extra
checking to be as absolutely sure as possible that we're only
rejecting real spam. of course a few spams still trickle through but
we haven't had a single false positive.



And there are Dag el5 packages for razor too!

However, still having some problems setting this up.
If I run spamassassin on the command-line it seems to use it, but not
from spamass-milter :-(


Hywel.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 11:14 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org