Bug#790938: spamassassin on Jessie fails with /var mounted noexec

Fri, 03 Jul 2015 01:25:09 -0700 

Package: spamassassin
Version: 3.4.0-6
Tags: jessie

Debian version: 8.1
Kernel version: 3.16.0-4-kirkwood #1 Debian 3.16.7-ckt11-1 (2015-05-24) armv5tel GNU/Linux 

Hi,

For years, I've had my server mount /tmp and /var noexec, as a security 
measure (since I met an attempt to run code uploaded in /var through an 
exim security bug).



However, this causes spamassassin to fail because /var being mounted 
noexec keeps it from loading this file:

/var/lib/spamassassin/compiled/5.020/3.004000/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so

The error messages are:

juil. 02 08:02:15 myserver spamd[785]: Can't load 
'/var/lib/spamassassin/compiled/5.020/3.004000/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so' 
for module Mail::SpamAssassin::CompiledRegexps::body_0: 
/var/lib/spamassassin/compiled/5.020/3.004000/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so: 
échec d'adressage (mapping) du segment de l'objet partagé: Opération non 
permise at /usr/share/perl/5.20/XSLoader.pm line 68.
juil. 02 08:02:15 myserver spamd[785]: at 
/var/lib/spamassassin/compiled/5.020/3.004000/Mail/SpamAssassin/CompiledRegexps/body_0.pm 
line 378.
juil. 02 08:02:15 sphinx2 spamd[785]: Can't load 
'/var/lib/spamassassin/compiled/5.020/3.004000/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so' 
for module Mail::SpamAssassin::CompiledRegexps::body_0: 
/var/lib/spamassassin/compiled/5.020/3.004000/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so: 
échec d'adressage (mapping) du segment de l'objet partagé: Opération non 
permise at /usr/share/perl/5.20/XSLoader.pm line 68.
juil. 02 08:02:15 myserver spamd[785]: at 
/var/lib/spamassassin/compiled/5.020/3.004000/Mail/SpamAssassin/CompiledRegexps/body_0.pm 
line 378.
juil. 02 08:02:15 myserver spamd[785]: BEGIN failed--compilation aborted 
at 
/var/lib/spamassassin/compiled/5.020/3.004000/Mail/SpamAssassin/CompiledRegexps/body_0.pm 
line 379.
juil. 02 08:02:15 myserver spamd[785]: Compilation failed in require at 
(eval 947) line 1.


The French above seems to be the translation for:
"failed to map segment from shared object: Permission denied"


I realize this is not really a software bug, but I consider this a 
security issue nonetheless (I have to mount -o remount,exec /var to 
solve the issue). Do shared objects (.so libraries) really belong in 
/var? What would be a better location?


Yves.


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org















    











					Reply via email to