On Fri, 13 Jan 2017, Bill Cole wrote:
On 10 Jan 2017, at 10:55, Michael B Allen wrote:
bayes_file_mode 0777
Don't do that. Ever. It is not necessary, despite having been propagated
widely as a supposed solution for system-wide Bayes permission issues. The
clear indicator that whoever devised that was flailing in sheer ignorance is
that it is 0777 instead of 0666: why would ANYONE need execute permission on
a DB file???
The sane solution is to make sure everything that needs to write to the Bayes
DB runs as the same user or as users which all have one group in common. The
absolute loosest mode you should use is 0664, and that only if you do
something like backups as an unprivileged user. If you can't be bothered to
think about such security issues at least go with 0666 so it can't be
subverted as a stealth executable.
And... if you read with comprehension the Spamassassin manual page for that
attribute you will see:
bayes_file_mode (default: 0700)
The file mode bits used for the Bayesian filtering database files.
Make sure you specify this using the 'x' mode bits set, as it may also
be used to create
directories. However, if a file is created, the resulting file will not
have any execute bits set
(the umask is set to 111). The argument is a string of octal digits, it
is converted to a numeric
value internally.
That "need execute permission" is for the directory not the DB file.
So -DO- use that 0700 (or if you must 0777 ).
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
