Re: /etc/cron.daily/spamassassin - Update failed, exiting with code 4
Am 14.05.2016 um 21:42 schrieb Bill Keenan:
Bob, the chown fixed the problem.
Reindl, your answer seems to be describing a very different installation from
'sudo apt install spamassassin’. Am I correctly understanding the changes you
are recommending?
it has not to do anything with the package - no you should *never*
install from source if there are packages (i know the troll with now
comes talking about pre-compiled prpblems, ignore him)
nobody is taking away the option of create systemd-timers, systemd-units
and systemd-snippets since you can place whatever you need in
/etc/systemd/system
just because fedora ships a systemd-timer instead a conrd-snippet don't
mean you can't create it at your own on a recent debian
see also https://bugzilla.redhat.com/show_bug.cgi?id=1336143 which
contains the snippet for Fedora to run as non-root
the distribution ships the timer/service and i optimized it with a snippet
https://www.freedesktop.org/software/systemd/man/systemd.timer.html
https://wiki.archlinux.org/index.php/systemd#Drop-in_snippets
_
[root@mail-gw:~]$ cat /usr/lib/systemd/system/sa-update.timer
### Spamassassin Rules Updates ###
#
# http://wiki.apache.org/spamassassin/RuleUpdates
#
# sa-update automatically updates your rules once per day if a spam
daemon like
# spamd or amavisd are running.
[Unit]
Description=Spamassassin Rules Update timer
Documentation=man:sa-update(1)
[Timer]
OnCalendar=daily
[Install]
WantedBy=spamassassin.service
_
[root@mail-gw:~]$ cat /usr/lib/systemd/system/sa-update.service
### Spamassassin Rules Updates ###
#
# http://wiki.apache.org/spamassassin/RuleUpdates
#
# sa-update automatically updates your rules once per day if a spam
daemon like
# spamd or amavisd are running.
[Unit]
Description=Spamassassin Rules Update
Documentation=man:sa-update(1)
[Service]
# Note that the opposite of "yes" is the empty string, NOT "no"
# Options for the actual sa-update command
# These are added to the channel configuration from
# /etc/mail/spamassassin/channel.d/*.conf
Environment=OPTIONS=-v
# Debug script - send mail even if no update available
#Environment=DEBUG=yes
# Send mail when updates successfully processed
# Default: send mail only on error
#Environment=NOTIFY_UPD=yes
ExecStart=/usr/share/spamassassin/sa-update.cron
SuccessExitStatus=1
On May 14, 2016, at 11:31 AM, Reindl Harald wrote:
Am 14.05.2016 um 20:09 schrieb Bob Proulx:
I see start-stop-daemon and so assume you are running either Debian or
Ubuntu where the process runs as a non-root user. As can be seen the
--chuid debian-spamd:debian-spamd option runs the process as a
non-root user. But very commonly people manually run the download as
root which then creates /var/lib/spamassassin as root. Once that
happens the non-root debian-spamd is locked out.
To restore permissions:
chown -R debian-spamd:debian-spamd /var/lib/spamassassin
And in the future avoid running it as root manually. With great power
comes great responsibility. :-)
you have the same problem on Fedora if your umask is sane
the real fix would be make sure that folders / files have chmod 755/644 because you *do
not* want run "sa-update" as the same user the daemon runs and so have
write-permissions for the daemon
a real clean and secuer setup needs a own user, in our case "sa-cleanup" which
is also the only one with write permissions to bayes-samples and the spamd-service making
sure permissions are sane so that the user spamd is uisng has read permissions
___
spamassassin.service
PermissionsStartOnly=true
User=sa-milt
Group=sa-milt
ExecStartPre=/usr/bin/chown -R sa-cleanup:root /var/lib/spamassassin/
ExecStartPre=/usr/bin/find /var/lib/spamassassin/ -type d -exec /bin/chmod 0755
"{}" \;
ExecStartPre=/usr/bin/find /var/lib/spamassassin/ -type f -exec /bin/chmod 0644
"{}" \;
___
[root@mail-gw:~]$ systemctl status sa-update.service
? sa-update.service - Spamassassin Rules Update
Loaded: loaded (/usr/lib/systemd/system/sa-update.service; static; vendor
preset: disabled)
Drop-In: /etc/systemd/system/sa-update.service.d
??update-user.conf
Active: inactive (dead) since Sa 2016-05-14 01:58:47 CEST; 18h ago
Docs: man:sa-update(1)
Main PID: 9728 (code=exited, status=0/SUCCESS)
___
[root@mail-gw:~]$ cat /etc/systemd/system/sa-update.service.d/update-user.conf
[Service]
User=sa-cleanup
Group=sa-milt
[root@mail-gw:
signature.asc
Description: OpenPGP digital signature
Re: /etc/cron.daily/spamassassin - Update failed, exiting with code 4
Bob, the chown fixed the problem.
Reindl, your answer seems to be describing a very different installation from
'sudo apt install spamassassin’. Am I correctly understanding the changes you
are recommending?
> On May 14, 2016, at 11:31 AM, Reindl Harald wrote:
>
>
>
> Am 14.05.2016 um 20:09 schrieb Bob Proulx:
>> I see start-stop-daemon and so assume you are running either Debian or
>> Ubuntu where the process runs as a non-root user. As can be seen the
>> --chuid debian-spamd:debian-spamd option runs the process as a
>> non-root user. But very commonly people manually run the download as
>> root which then creates /var/lib/spamassassin as root. Once that
>> happens the non-root debian-spamd is locked out.
>>
>> To restore permissions:
>>
>> chown -R debian-spamd:debian-spamd /var/lib/spamassassin
>>
>> And in the future avoid running it as root manually. With great power
>> comes great responsibility. :-)
>
> you have the same problem on Fedora if your umask is sane
>
> the real fix would be make sure that folders / files have chmod 755/644
> because you *do not* want run "sa-update" as the same user the daemon runs
> and so have write-permissions for the daemon
>
> a real clean and secuer setup needs a own user, in our case "sa-cleanup"
> which is also the only one with write permissions to bayes-samples and the
> spamd-service making sure permissions are sane so that the user spamd is
> uisng has read permissions
> ___
>
> spamassassin.service
>
> PermissionsStartOnly=true
> User=sa-milt
> Group=sa-milt
> ExecStartPre=/usr/bin/chown -R sa-cleanup:root /var/lib/spamassassin/
> ExecStartPre=/usr/bin/find /var/lib/spamassassin/ -type d -exec /bin/chmod
> 0755 "{}" \;
> ExecStartPre=/usr/bin/find /var/lib/spamassassin/ -type f -exec /bin/chmod
> 0644 "{}" \;
> ___
>
> [root@mail-gw:~]$ systemctl status sa-update.service
> ? sa-update.service - Spamassassin Rules Update
> Loaded: loaded (/usr/lib/systemd/system/sa-update.service; static; vendor
> preset: disabled)
> Drop-In: /etc/systemd/system/sa-update.service.d
> ??update-user.conf
> Active: inactive (dead) since Sa 2016-05-14 01:58:47 CEST; 18h ago
>Docs: man:sa-update(1)
> Main PID: 9728 (code=exited, status=0/SUCCESS)
> ___
>
> [root@mail-gw:~]$ cat /etc/systemd/system/sa-update.service.d/update-user.conf
> [Service]
> User=sa-cleanup
> Group=sa-milt
> [root@mail-gw:
>
Re: /etc/cron.daily/spamassassin - Update failed, exiting with code 4
Am 14.05.2016 um 20:09 schrieb Bob Proulx:
I see start-stop-daemon and so assume you are running either Debian or
Ubuntu where the process runs as a non-root user. As can be seen the
--chuid debian-spamd:debian-spamd option runs the process as a
non-root user. But very commonly people manually run the download as
root which then creates /var/lib/spamassassin as root. Once that
happens the non-root debian-spamd is locked out.
To restore permissions:
chown -R debian-spamd:debian-spamd /var/lib/spamassassin
And in the future avoid running it as root manually. With great power
comes great responsibility. :-)
you have the same problem on Fedora if your umask is sane
the real fix would be make sure that folders / files have chmod 755/644
because you *do not* want run "sa-update" as the same user the daemon
runs and so have write-permissions for the daemon
a real clean and secuer setup needs a own user, in our case "sa-cleanup"
which is also the only one with write permissions to bayes-samples and
the spamd-service making sure permissions are sane so that the user
spamd is uisng has read permissions
___
spamassassin.service
PermissionsStartOnly=true
User=sa-milt
Group=sa-milt
ExecStartPre=/usr/bin/chown -R sa-cleanup:root /var/lib/spamassassin/
ExecStartPre=/usr/bin/find /var/lib/spamassassin/ -type d -exec
/bin/chmod 0755 "{}" \;
ExecStartPre=/usr/bin/find /var/lib/spamassassin/ -type f -exec
/bin/chmod 0644 "{}" \;
___
[root@mail-gw:~]$ systemctl status sa-update.service
? sa-update.service - Spamassassin Rules Update
Loaded: loaded (/usr/lib/systemd/system/sa-update.service; static;
vendor preset: disabled)
Drop-In: /etc/systemd/system/sa-update.service.d
??update-user.conf
Active: inactive (dead) since Sa 2016-05-14 01:58:47 CEST; 18h ago
Docs: man:sa-update(1)
Main PID: 9728 (code=exited, status=0/SUCCESS)
___
[root@mail-gw:~]$ cat
/etc/systemd/system/sa-update.service.d/update-user.conf
[Service]
User=sa-cleanup
Group=sa-milt
[root@mail-gw:
signature.asc
Description: OpenPGP digital signature
Re: /etc/cron.daily/spamassassin - Update failed, exiting with code 4
Bill Keenan wrote: > > > env -i LANG="$LANG" PATH="$PATH" start-stop-daemon \ > > > --chuid debian-spamd:debian-spamd --start \ > > > --exec /usr/bin/sa-update -- -v \ > > > --gpghomedir /var/lib/spamassassin/sa-update-keys 2>&1 > > RW wrote: > > 23 Write error. Curl couldn't write data to a local filesystem or > > similar. > > RW, thanks for looking up the cURL error. I was so focused on > googling, I failed to RTM. I don’t know why, but I have something to > focus my investigation on. I see start-stop-daemon and so assume you are running either Debian or Ubuntu where the process runs as a non-root user. As can be seen the --chuid debian-spamd:debian-spamd option runs the process as a non-root user. But very commonly people manually run the download as root which then creates /var/lib/spamassassin as root. Once that happens the non-root debian-spamd is locked out. To restore permissions: chown -R debian-spamd:debian-spamd /var/lib/spamassassin And in the future avoid running it as root manually. With great power comes great responsibility. :-) Bob
Re: /etc/cron.daily/spamassassin - Update failed, exiting with code 4
John, the errors I showed were from adding a -v to the /bin/sh and doing sudo spamassissin. RW, thanks for looking up the cURL error. I was so focused on googling, I failed to RTM. I don’t know why, but I have something to focus my investigation on. > On May 14, 2016, at 4:18 AM, RW wrote: > > On Fri, 13 May 2016 14:57:02 -0700 > Bill Keenan wrote: > >> Googling this turns up some speculation…are the 4 curls failing >> because of a mirror problem? Shame on me for not watching…I do not >> know when this error started to occur. If there is a fix, where is it >> documented? >> >> Bill >> >> SpamAssassin version 3.4.1 >> running on Perl version 5.20.2 >> >> # Update >> umask 022 >> env -i LANG="$LANG" PATH="$PATH" start-stop-daemon \ >> --chuid debian-spamd:debian-spamd --start \ >> --exec /usr/bin/sa-update -- -v \ >> --gpghomedir /var/lib/spamassassin/sa-update-keys 2>&1 >> Update available for channel updates.spamassassin.org: 1742071 -> >> 1743481 http: (curl) GET http://sa-update.secnap.net/1743481.tar.gz, >> FAILED, status: exit 23 http: (curl) GET >> http://www.sa-update.pccc.com/1743481.tar.gz, FAILED, status: exit 23 >> http: (curl) GET http://sa-update.space-pro.be/1743481.tar.gz, >> FAILED, status: exit 23 http: (curl) GET >> http://sa-update.dnswl.org/1743481.tar.gz, FAILED, status: exit 23 >> channel: could not find working mirror, channel failed Update failed, >> exiting with code 4 >> > > From the curl man page: > > 23 Write error. Curl couldn't write data to a local filesystem or > similar.
Re: /etc/cron.daily/spamassassin - Update failed, exiting with code 4
On Fri, 13 May 2016 14:57:02 -0700 Bill Keenan wrote: > Googling this turns up some speculation…are the 4 curls failing > because of a mirror problem? Shame on me for not watching…I do not > know when this error started to occur. If there is a fix, where is it > documented? > > Bill > > SpamAssassin version 3.4.1 > running on Perl version 5.20.2 > > # Update > umask 022 > env -i LANG="$LANG" PATH="$PATH" start-stop-daemon \ > --chuid debian-spamd:debian-spamd --start \ > --exec /usr/bin/sa-update -- -v \ > --gpghomedir /var/lib/spamassassin/sa-update-keys 2>&1 > Update available for channel updates.spamassassin.org: 1742071 -> > 1743481 http: (curl) GET http://sa-update.secnap.net/1743481.tar.gz, > FAILED, status: exit 23 http: (curl) GET > http://www.sa-update.pccc.com/1743481.tar.gz, FAILED, status: exit 23 > http: (curl) GET http://sa-update.space-pro.be/1743481.tar.gz, > FAILED, status: exit 23 http: (curl) GET > http://sa-update.dnswl.org/1743481.tar.gz, FAILED, status: exit 23 > channel: could not find working mirror, channel failed Update failed, > exiting with code 4 > From the curl man page: 23 Write error. Curl couldn't write data to a local filesystem or similar.
Re: /etc/cron.daily/spamassassin - Update failed, exiting with code 4
On Fri, 13 May 2016, Bill Keenan wrote: Googling this turns up some speculation…are the 4 curls failing because of a mirror problem? Shame on me for not watching…I do not know when this error started to occur. If there is a fix, where is it documented? Bill SpamAssassin version 3.4.1 running on Perl version 5.20.2 # Update umask 022 env -i LANG="$LANG" PATH="$PATH" start-stop-daemon \ --chuid debian-spamd:debian-spamd --start \ --exec /usr/bin/sa-update -- -v \ --gpghomedir /var/lib/spamassassin/sa-update-keys 2>&1 Update available for channel updates.spamassassin.org: 1742071 -> 1743481 http: (curl) GET http://sa-update.secnap.net/1743481.tar.gz, FAILED, status: exit 23 http: (curl) GET http://www.sa-update.pccc.com/1743481.tar.gz, FAILED, status: exit 23 http: (curl) GET http://sa-update.space-pro.be/1743481.tar.gz, FAILED, status: exit 23 http: (curl) GET http://sa-update.dnswl.org/1743481.tar.gz, FAILED, status: exit 23 channel: could not find working mirror, channel failed Update failed, exiting with code 4 ...what happens when you try to download that file interactively? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Justice is justice, whereas "social justice" is code for one set of rules for the rich, another for the poor; one set for whites, another set for minorities; one set for straight men, another for women and gays. In short, it's the opposite of actual justice. -- Burt Prelutsky --- 143 days since the first successful real return to launch site (SpaceX)
/etc/cron.daily/spamassassin - Update failed, exiting with code 4
Googling this turns up some speculation…are the 4 curls failing because of a mirror problem? Shame on me for not watching…I do not know when this error started to occur. If there is a fix, where is it documented? Bill SpamAssassin version 3.4.1 running on Perl version 5.20.2 # Update umask 022 env -i LANG="$LANG" PATH="$PATH" start-stop-daemon \ --chuid debian-spamd:debian-spamd --start \ --exec /usr/bin/sa-update -- -v \ --gpghomedir /var/lib/spamassassin/sa-update-keys 2>&1 Update available for channel updates.spamassassin.org: 1742071 -> 1743481 http: (curl) GET http://sa-update.secnap.net/1743481.tar.gz, FAILED, status: exit 23 http: (curl) GET http://www.sa-update.pccc.com/1743481.tar.gz, FAILED, status: exit 23 http: (curl) GET http://sa-update.space-pro.be/1743481.tar.gz, FAILED, status: exit 23 http: (curl) GET http://sa-update.dnswl.org/1743481.tar.gz, FAILED, status: exit 23 channel: could not find working mirror, channel failed Update failed, exiting with code 4
