RE: spamd runs as root on Fedora Server 38 ?! - was Re: Newb on sa-learn - didn't get what I expected as a response...
> > I should probably add that I personally don't do per-user config because > of the enlarged attack surface it presents and small marginal value, but > that's guided by local details. I work with systems owned by others > where other choices were made for very sound reasons and they have not > had security problems with it, in many years of operations. What you > choose to do should be based on what YOU want. > I have a setup where I globally mark spam and users have the option to 'unmark' messages from senders. So every user has a little db with white listed email addresses. This could be a nice step before going full per-user config.
Re: spamd runs as root on Fedora Server 38 ?! - was Re: Newb on sa-learn - didn't get what I expected as a response...
On 2023-07-07 at 12:08:22 UTC-0400 (Fri, 7 Jul 2023 09:08:22 -0700 (PDT)) Richard Troy is rumored to have said: Hi All, I changed the subject line to hopefully get some insight from a wider audience regarding this situation that Reindl uncovered: It should be noted that Harald Reindl is not a subscriber to this list and cannot be as a result of past behavior. Nothing can stop him from reading public archives and replying directly to list members, but no one else sees them. SpamAssassin can operate in many different modes. How distribution packagers chose the 'default' for their installations is beyond the scope of the SA project per se, and the specific packagers should be consulted if you need an explanation of their choices. If you want spamd to be able to access the per-user preferences and databases for AWL/TxRep and/or Bayes of real system users, spamd must run as root OR you must devise another working configuration which allows that to work. This can be avoided by using virtual users or storing per-user configuration in a database rather than in files on disk. You can also dispense entirely with spamd and have a milter like MIMEDefang call the SA libraries directly, but you still need *SOMETHING* running as root (or a semi-privileged user) if you want to use per-user configuration living in a POSIX filesystem. Arguing over which model is better is pointless, because they are chosen based on local needs. Scolding people for their choice of the reasonable options is just silly. I should probably add that I personally don't do per-user config because of the enlarged attack surface it presents and small marginal value, but that's guided by local details. I work with systems owned by others where other choices were made for very sound reasons and they have not had security problems with it, in many years of operations. What you choose to do should be based on what YOU want. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: spamd runs as root on Fedora Server 38 ?! - was Re: Newb on sa-learn - didn't get what I expected as a response...
Check the systemd unit file. It should set the user the service runs as.
Re: Newb on sa-learn - didn't get what I expected as a response...
On Fri, 7 Jul 2023, Reindl Harald wrote: OF COURSE! For me, THE key questions have to do with the learning aspect (and maybe logging): What's the directory that, for example, sa-learn has to write into? ... Again, pointers would be nice - it's not like I was planning to spend my day doing this; I have a customer visit planned that's coming up soon! I just don't have much time! sorry - i can't translate our configs and setup dating 9 years back and nothing in common with anything from the distribution - "sa-learn" needs to write where the bayes-db lives, nothing else No worries, you've been a big help! ... You and Jared Hall! Richard
Re: Newb on sa-learn - didn't get what I expected as a response...
On Fri, 7 Jul 2023, Reindl Harald wrote: /usr is package terriotory and MUST NOT BE owned by anybody than root and read-only for the world just give common sense another few seconds! only the files/folders which are supposed to be written by any deamon should be writeable for the user the daemnon is running with you don't want an exploit happening somewhere in teh filter chain modify your binaries/scripts OF COURSE! For me, THE key questions have to do with the learning aspect (and maybe logging): What's the directory that, for example, sa-learn has to write into? ... Again, pointers would be nice - it's not like I was planning to spend my day doing this; I have a customer visit planned that's coming up soon! I just don't have much time! Richard
spamd runs as root on Fedora Server 38 ?! - was Re: Newb on sa-learn - didn't get what I expected as a response...
Hi All, I changed the subject line to hopefully get some insight from a wider audience regarding this situation that Reindl uncovered: It started here: It appears that it IS running as root?! OR maybe as "sa-milt" ... As root I got this: # ps auxwww | grep spamd root 100805 0.0 0.3 158208 121164 ? Ss 00:37 0:05 /usr/bin/perl -T -w /usr/bin/spamd -c -m5 -H --razor-home-dir=/var/lib/razor/ --razor-log-file=sys-syslog Reindl replied: give common sense a few seconds: do you REALLY want to process mails containing junk and malware with root privileges? And went on to share that his Fedora 37 runs as sa-milt. There IS an sa-milt entry in /etc/passwd, so... I just took a few minutes to confirm that the DEFAULT installation on Fedora Server 38 runs spamd as root - at least, that's sure my take from this: # ps -auxwww | grep spam root 192531 2.3 4.0 158360 146936 ? Ss 08:53 0:01 /usr/bin/perl -T -w /usr/bin/spamd -c -m5 -H --razor-home-dir=/var/lib/razor/ --razor-log-file=sys-syslog root 192535 0.0 3.7 158360 137488 ? S08:53 0:00 spamd child root 192536 0.0 3.7 158360 137616 ? S08:53 0:00 spamd child ...GIVEN that this is the DEFAULT on this distribution - a very popular distribution - I'm ... speachless since, as Reindl points out, processing unknown inbound email is NOT a great place to hav a process running as root! THEREFORE: Can anyone give me the quick path to changing this to running as sa-milt, as his system does? Changing the file ownerships is trivial, and I know from doing some packaging for Fedora systems that there's a spot to give the user (and group) IDs programs are supposed to be run under in sysconfig. A quick look shows there are three for Spam Assassin on my system: /etc/sysconfig/spamassassin /etc/sysconfig/spamass-milter /etc/sysconfig/spamass-milter-postfix Before I make changes and possibly screw things up; any advice? Thanks! Richard
Re: Newb on sa-learn - didn't get what I expected as a response...
It appears that it IS running as root?! OR maybe as "sa-milt" ... As root I got this: # ps auxwww | grep spamd root 100805 0.0 0.3 158208 121164 ? Ss 00:37 0:05 /usr/bin/perl -T -w /usr/bin/spamd -c -m5 -H --razor-home-dir=/var/lib/razor/ --razor-log-file=sys-syslog # grep spam /etc/passwd sa-milt:x:976:975:SpamAssassin Milter:/var/lib/spamass-milter:/sbin/nologin So... run it as sa-milt (my guess), or as root? Note that this is on a Fedora Server v 38 - the OS is a couple of months old so your whole setup is more then questionable give common sense a few seconds: do you REALLY want to process mails containing junk and malware with root privileges? Frankly, you make a good point and I was unawares! Back January we had a system failure - nevermind the details - and had to reinstall the OS from scratch, then updated when the new version came out... And I _swear_ I did _NOT_ change anything regarding SA from the defaults not required to just get it running. (We didn't lose /etc, so I just plunked the existing Postfix config back in place and we were up and running!) My guess is that this is the default on Fedora Server, however, I have another system I can confirm that with - but not today, probably. that below is Fedora 37, originally from 2014 cloned from our golden-master VM dating back to 2008 with Fedora 9 not a single distro-systemd-unit in use - never [root@mail-gw:~]$ ps auxwww | grep spam sa-milt 436 0.0 1.2 69708 65192 ?SNs Jun16 11:09 /usr/bin/perl -T -w /usr/bin/spamd --max-children=1 --max-conn-per-child=1000 --local --socketpath=/run/spamd-debug/spamassassin.sock --socketmode=0666 --siteconfigpath=/etc/mail/spamassassin-debug --syslog=stderr 2>/dev/null ...OK, I get it!... I'm not sure "what went wrong" so we ended up with this, but I'm also not sure what the short path is to fixing this issue. There's already an sa-milt in /etc/passwd, but the files are all owned by root - eg: the files in /usr/share/spamassassin Surely these would need to be changed, one would think, and somewhere the code told to run as sa-milt, which I presume isn't THAT hard to find, though I've never dealt with it before. THANKS for pointing this out! Richard
Re: Newb on sa-learn - didn't get what I expected as a response...
(I was running it as root - which the docs don't mention but I figure is what I'm supposed to do!) why do you suppose that? ...Uh... Because otherwise why the -u flag and comments about running it for virtual users? you NEVER run anything as root which isn't a root task - no matter what you run it with the same user you spamd is running Good to know! ...I'd recommend an update to the doc / web page to point out it should be run as the user ID of whatever spamd is using! It appears that it IS running as root?! OR maybe as "sa-milt" ... As root I got this: # ps auxwww | grep spamd root 100805 0.0 0.3 158208 121164 ? Ss 00:37 0:05 /usr/bin/perl -T -w /usr/bin/spamd -c -m5 -H --razor-home-dir=/var/lib/razor/ --razor-log-file=sys-syslog # grep spam /etc/passwd sa-milt:x:976:975:SpamAssassin Milter:/var/lib/spamass-milter:/sbin/nologin So... run it as sa-milt (my guess), or as root? Note that this is on a Fedora Server v 38 - the OS is a couple of months old. Thanks again, Richard
Re: Newb on sa-learn - didn't get what I expected as a response...
On Fri, 7 Jul 2023, Jared Hall wrote: I believe the default format is Maildir. You mention a single file w/ multiple emails which suggests you might be running MBox format? If so, try the --mbox command line switch. -- Jared Hall GREAT CATCH, Jared; you are correct, mine are in mbox format, I think - somehow I guess I overlooked the -mbox switch! Thanks, Richard
Re: Newb on sa-learn - didn't get what I expected as a response...
Am 07.07.23 um 17:04 schrieb Richard: I've FINALLY built up a "corpus" of ham vs spam and also FINALLY had some time to spend on this and just ran sa-learn on, oh, IDK, some 10k email messages or so, I'd guess. And along the way, I NEVER ONCE got the kind of output response back from sa-learn that I expected. For example, here I run it against a file containing just over 2100 spam: $ sa-learn -u richard --spam spam Learned tokens from 0 message(s) (0 message(s) examined) (I was running it as root - which the docs don't mention but I figure is what I'm supposed to do!) why do you suppose that? ...Uh... Because otherwise why the -u flag and comments about running it for virtual users? you NEVER run anything as root which isn't a root task - no matter what you run it with the same user you spamd is running Good to know! ...I'd recommend an update to the doc / web page to point out it should be run as the user ID of whatever spamd is using! Now, I'd guess I should, as root: sa-learn --clear Since I hadn't run sa-learn before, EVER, that I was aware of! ...And THEN run as I've just learned. And, BTW, this makes me happy I scripted calling sa-learn, so re-doing this will be easy! As an aside, "curating" modern ham from my inboxes is time consuming so a lot of the ham I used is older, from saved folders... I saw the warning about old vs new, and the potential effects of that; as my inboxes typically have around 2k messages in them, and going through and making sure NONE are spam is time consuming, is it worth tossing in a few at a time from recent days, such as a day at a time? ...My guess is that nobody can really say what the Bayesian system is going to pick up on exactly, so YES, it can't hurt?! Thanks, Richard
Re: Newb on sa-learn - didn't get what I expected as a response...
On 7/7/2023 11:04 AM, Richard wrote: For example, here I run it against a file containing just over 2100 spam: In the end, I ran it on about four dozen files of ham and about 6 or so files of spam emails, carefully curated. In all these files, I NEVER saw it say it examined more than 1 message and EVERY time it said it examined a message it also said it "learned" 1 token. I believe the default format is Maildir. You mention a single file w/ multiple emails which suggests you might be running MBox format? If so, try the --mbox command line switch. -- Jared Hall
Newb on sa-learn - didn't get what I expected as a response...
Hi SA users, I've FINALLY built up a "corpus" of ham vs spam and also FINALLY had some time to spend on this and just ran sa-learn on, oh, IDK, some 10k email messages or so, I'd guess. And along the way, I NEVER ONCE got the kind of output response back from sa-learn that I expected. For example, here I run it against a file containing just over 2100 spam: $ sa-learn -u richard --spam spam Learned tokens from 0 message(s) (0 message(s) examined) (I was running it as root - which the docs don't mention but I figure is what I'm supposed to do!) In the end, I ran it on about four dozen files of ham and about 6 or so files of spam emails, carefully curated. In all these files, I NEVER saw it say it examined more than 1 message and EVERY time it said it examined a message it also said it "learned" 1 token. Uh... I try not to be stupid; is this normal or am I "doing it wrong!" Thanks, Richard