I am using exim + spamd which comes with spamassassin. When a mail comes in, I get all sorts of funky errors about permissions. Googling didn't really help much. Is Gentoo shipping a non-working setup? Below are the logs. *** /var/log/mail.log *** Aug 19 19:28:08 fieldy spamd[18342]: spamd: connection from localhost.netwerkz.co.uk [127.0.0.1] at port 44717 Aug 19 19:28:08 fieldy spamd[18342]: spamd: setuid to nobody succeeded Aug 19 19:28:08 fieldy spamd[18342]: spamd: creating default_prefs: //.spamassassin/user_prefs Aug 19 19:28:08 fieldy spamd[18342]: mkdir //.spamassassin: Permission denied at /usr/lib64/perl5/vendor_perl/5.8.8/Mail/SpamAssassin.pm line 1486 Aug 19 19:28:08 fieldy spamd[18342]: config: cannot write to //.spamassassin/user_prefs: No such file or directory Aug 19 19:28:08 fieldy spamd[18342]: spamd: failed to create readable default_prefs: //.spamassassin/user_prefs Aug 19 19:28:08 fieldy spamd[18342]: mkdir /.spamassassin: Permission denied at /usr/lib64/perl5/vendor_perl/5.8.8/Mail/SpamAssassin.pm line 1486 Aug 19 19:28:08 fieldy spamd[18342]: spamd: checking message <20060819081657.11683.qmail@securityfocus.com> for nobody:65534 Aug 19 19:28:10 fieldy spamd[18342]: mkdir /.spamassassin: Permission denied at /usr/lib64/perl5/vendor_perl/5.8.8/Mail/SpamAssassin.pm line 1486 Aug 19 19:28:10 fieldy spamd[18342]: locker: safe_lock: cannot create tmp lockfile /.spamassassin/auto-whitelist.lock.fieldy.netwerkz.co.uk.18342 for /.spamassassin/auto-whitelist.lock: No such file or directory Aug 19 19:28:10 fieldy spamd[18342]: auto-whitelist: open of auto-whitelist file failed: locker: safe_lock: cannot create tmp lockfile /.spamassassin/auto-whitelist.lock.fieldy.netwerkz.co.uk.18342 for /.spamassassin/auto-whitelist.lock: No such file or directory Aug 19 19:28:10 fieldy spamd[18342]: spamd: clean message (0.6/5.0) for nobody:65534 in 2.2 seconds, 3255 bytes. Aug 19 19:28:10 fieldy spamd[18342]: spamd: result: . 0 - NO_REAL_NAME,UNPARSEABLE_RELAY scantime=2.2,size=3255,user=nobody,uid=65534,required_score=5.0,rhost=localhost.netwerkz.co.uk,raddr=127.0.0.1,rport=44717,mid=<20060819081657.11683.qmail@securityfocus.com>,autolearn=no Aug 19 19:28:10 fieldy spamd[18333]: prefork: child states: II Aug 19 19:28:10 fieldy exim[18499]: 2006-08-19 19:28:10 1GEWUK-0004oN-7j <= bugtraq-return-27330-sgtphou=fire-eyes.org@securityfocus.com H=outgoing.securityfocus.com [205.206.231.26] P=esmtp S=3084 id=20060819081657.11683.qmail@securityfocus.com Aug 19 19:28:10 fieldy exim[18500]: 2006-08-19 19:28:10 1GEWUK-0004oN-7j => sgtphou <sgtphou@fire-eyes.org> R=localuser T=local_delivery Aug 19 19:28:10 fieldy exim[18500]: 2006-08-19 19:28:10 1GEWUK-0004oN-7j Completed Line 1482 - 1490 of /usr/lib64/perl5/vendor_perl/5.8.8/Mail/SpamAssassin.pm is: 1482 # bug 4932: we always want to make the userstate directory, even if 1483 # dont_copy_prefs is true for things like bayes, awl, etc. 1484 if (!-d $fname) { 1485 # not being able to create the *dir* is not worth a warning at all times 1486 eval { mkpath($fname, 0, 0700) } or dbg("config: mkdir $fname failed: $@ $!\n"); 1487 } 1488 1489 $fname; 1490 } Though, I don't see what http://bugs.gentoo.org/show_bug.cgi?id=4932 has to do with that (different bug tracking system?) System info: Portage 2.1-r2 (default-linux/amd64/2006.0, gcc-3.4.6, glibc-2.3.6-r4, 2.6.16-netwerkz x86_64) ================================================================= System uname: 2.6.16-netwerkz x86_64 Intel(R) Xeon(TM) CPU 2.80GHz Gentoo Base System version 1.12.4 ccache version 2.3 [disabled] app-admin/eselect-compiler: [Not Present] dev-lang/python: 2.4.3-r1 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r3 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=x86-64 -Os -pipe -fomit-frame-pointer -fforce-addr -mno-tls-direct-seg-refs" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /var/bind" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-march=x86-64 -Os -pipe -fomit-frame-pointer -fforce-addr -mno-tls-direct-seg-refs" DISTDIR="/usr/gentoo/distfiles" FEATURES="autoconfig distlocks fixpackages metadata-transfer parallel-fetch sandbox sfperms strict" GENTOO_MIRRORS="ftp://mirror.datapipe.net/gentoo http://gentoo.mirrors.pair.com/ http://mirror.usu.edu/mirrors/gentoo/" MAKEOPTS="-j3" PKGDIR="/usr/gentoo/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="amd64 apache2 bash-completion berkdb bzip2 crypt dlloader ftp hardened ncurses nls nptl nptlonly pam perl pic pie python readline ssl tcpd unicode userlocales vhosts xml2 zlib elibc_glibc input_devices_keyboard input_devices_mouse input_devices_evdev kernel_linux userland_GNU video_cards_apm video_cards_ark video_cards_ati video_cards_chips video_cards_cirrus video_cards_cyrix video_cards_dummy video_cards_fbdev video_cards_glint video_cards_i128 video_cards_i810 video_cards_mga video_cards_neomagic video_cards_nv video_cards_rendition video_cards_s3 video_cards_s3virge video_cards_savage video_cards_siliconmotion video_cards_sis video_cards_sisusb video_cards_tdfx video_cards_tga video_cards_trident video_cards_tseng video_cards_v4l video_cards_vesa video_cards_vga video_cards_via video_cards_vmware video_cards_voodoo" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS [ebuild R ] mail-mta/exim-4.60-r1 USE="exiscan exiscan-acl gnutls mbx pam perl ssl syslog tcpd -X -dnsdb -ipv6 -ldap -lmtp -mailwrapper -mysql -nis -postgres -sasl -spf -sqlite -srs" 1,539 kB [ebuild R ] mail-filter/spamassassin-3.1.3 USE="berkdb -doc -ipv6 -ldap -mysql -postgres -qmail -sqlite -ssl -tools" 952 kB
Let me guess: You uncommented "# use_bayes 1" from /etc/mail/spamassassin/local.cf ? See, spamd runs under user nobody, so it'd try to create ~/.spamassassin (nobody's homedir is / ...). Try adding this to local.cf: bayes_path /path/to/.spamassassin/bayes And make sure that path (bayes = file, not a directory) is readable/writeable by the user `nobody'. Just let me know if I guessed right so we can fix the default local.cf...
Hello, Yuval. Actually, I did not touch /etc/mail/spamassassin/local.cf at all. Looking at that file, use_bayes 1 is commented out. However, it also says that 1 is the default. I have since created a dedicated user for spamd, and then changed conf.d/spamd to that effect (adding -u spamd-user to SPAMD_OPTS. Spamd then started one of itself as root, and then two children as the user I created and specified. Still, I was getting those same errors about permission creation. It was as if it was still trying to run as nobody, even though this wasn't specified anywhere that I was aware of. Just to get the sucker working, so I could deal with it later, I created a symlink from /.spamassassin to ~spamd-user/.spamassassin . This seems to have worked. Now that's a cheap hack and I don't intend to leave it that way. Okay, as for your suggestion of bayes_path /path/to/.spamassassin/bayes to local.cf, I did that however it does not appear to have created that file. The home directory and .spamassassin under it is writable by the user I specified. There are other bayes files, however: bayes_seen bayes_toks All owned by the spamd user I created. I removed the symlink /.spamassassin pointing at ~spamd-user-i-created/.spamassassin , restarted spamd, still having the errors.
Could you attach /var/log/mail.log again, please?
Well it's a pretty big file, so I'll just paste the logs from the error I am seeing. This is without the cheap hack i did, the symlink /.spamassassin pointing at ~spamd-user-i-created/.spamassassin : Aug 20 14:23:40 fieldy spamd[28544]: spamd: connection from localhost.netwerkz.co.uk [127.0.0.1] at port 48794 Aug 20 14:23:40 fieldy spamd[28544]: spamd: checking message <1156083714.22753.10.camel@pc7.dolda2000.com > for nobody:503 Aug 20 14:23:42 fieldy spamd[28544]: mkdir /.spamassassin: Permission denied at /usr/lib64/perl5/vendor_p erl/5.8.8/Mail/SpamAssassin.pm line 1486 Aug 20 14:23:42 fieldy spamd[28544]: locker: safe_lock: cannot create tmp lockfile /.spamassassin/auto-wh itelist.lock.fieldy.netwerkz.co.uk.28544 for /.spamassassin/auto-whitelist.lock: No such file or director y Aug 20 14:23:42 fieldy spamd[28544]: auto-whitelist: open of auto-whitelist file failed: locker: safe_loc k: cannot create tmp lockfile /.spamassassin/auto-whitelist.lock.fieldy.netwerkz.co.uk.28544 for /.spamas sassin/auto-whitelist.lock: No such file or directory Aug 20 14:23:42 fieldy spamd[28544]: spamd: clean message (0.0/5.0) for nobody:503 in 1.5 seconds, 5130 b ytes. Aug 20 14:23:42 fieldy spamd[28544]: spamd: result: . 0 - scantime=1.5,size=5130,user=nobody,uid=503,requ ired_score=5.0,rhost=localhost.netwerkz.co.uk,raddr=127.0.0.1,rport=48794,mid=<1156083714.22753.10.camel@ pc7.dolda2000.com>,autolearn=ham Aug 20 14:23:42 fieldy spamd[28535]: prefork: child states: II Aug 20 14:23:42 fieldy exim[28568]: 2006-08-20 14:23:42 1GEoDE-0007Qm-JL <= gentoo-user+bounces-48904-sgt phou=fire-eyes.org@gentoo.org H=lists.gentoo.org (robin.gentoo.org) [140.105.134.102] P=esmtp S=4963 id=1 156083714.22753.10.camel@pc7.dolda2000.com Aug 20 14:23:42 fieldy exim[28573]: 2006-08-20 14:23:42 1GEoDE-0007Qm-JL => sgtphou <sgtphou@fire-eyes.or g> R=localuser T=local_delivery Aug 20 14:23:42 fieldy exim[28573]: 2006-08-20 14:23:42 1GEoDE-0007Qm-JL Completed
For some reason, you're still running under "nobody"... Can we have your SPAMD_OPTS line?
sure. SPAMD_OPTS="-m 5 -u spam_d -H" I removed -c as I do not need per-user configs, however, I still get the same issues with our without -c . the username of spam_d is not an error in my typing.
Can you please add -P? This should help us figure out why spamd's using the user nobody.
Sure, I turned on -P. I don't see anything other than the usual errors at this point: Aug 21 13:00:56 fieldy spamd[16644]: spamd: connection from localhost.netwerkz.co.uk [127.0.0.1] at port 51266 Aug 21 13:00:57 fieldy spamd[16644]: spamd: checking message <445eee310608210559k374841a4ia1910a1eaf6af15 b@mail.gmail.com> for nobody:503 Aug 21 13:00:58 fieldy spamd[16644]: mkdir /.spamassassin: Permission denied at /usr/lib64/perl5/vendor_p erl/5.8.8/Mail/SpamAssassin.pm line 1486 Aug 21 13:00:58 fieldy spamd[16644]: locker: safe_lock: cannot create tmp lockfile /.spamassassin/auto-wh itelist.lock.fieldy.netwerkz.co.uk.16644 for /.spamassassin/auto-whitelist.lock: No such file or director y Aug 21 13:00:58 fieldy spamd[16644]: auto-whitelist: open of auto-whitelist file failed: locker: safe_loc k: cannot create tmp lockfile /.spamassassin/auto-whitelist.lock.fieldy.netwerkz.co.uk.16644 for /.spamas sassin/auto-whitelist.lock: No such file or directory Aug 21 13:01:00 fieldy spamd[16644]: spamd: clean message (0.0/5.0) for nobody:503 in 3.5 seconds, 3355 b ytes. Aug 21 13:01:00 fieldy spamd[16644]: spamd: result: . 0 - scantime=3.5,size=3355,user=nobody,uid=503,requ ired_score=5.0,rhost=localhost.netwerkz.co.uk,raddr=127.0.0.1,rport=51266,mid=<445eee310608210559k374841a 4ia1910a1eaf6af15b@mail.gmail.com>,autolearn=ham Aug 21 13:01:00 fieldy spamd[16635]: prefork: child states: II I also do not understand why it's acting like it is running as nobody. The only user on the entire system with / as it's home is the user nobody. # ps auwxxx | grep spamd root 16635 0.0 10.4 62536 33676 ? Ss 12:53 0:00 /usr/sbin/spamd -d -r /home/spam_d/spamd.pid -m 5 -P -u spam_d -H spam_d 16644 0.0 10.6 63464 34444 ? S 12:53 0:00 spamd child spam_d 16645 0.0 10.0 62536 32356 ? S 12:53 0:00 spamd child
What's spam_d's homedir, and what permission is set on it? From the code, it still looks like it should use ~/.spamassassin -- maybe spam_d's homedir is still /? Please grep out the appropriate line from /etc/passwd. Thanks.
Sure. spam_d:x:503:100:spam_d:/home/spam_d:/usr/sbin/nologin Access: (0755/drwxr-xr-x) Uid: ( 503/ spam_d) Gid: ( 100/ users) I've tried the shell as the standard bash and other shells as well, this (as I would expect) didn't change anything. ls -lRa /home/spam_d /home/spam_d: total 4 drwxr-xr-x 3 spam_d users 112 Aug 24 13:47 . drwxr-xr-x 10 root root 256 Aug 19 19:39 .. drwx------ 2 spam_d users 144 Aug 27 09:00 .spamassassin -rw-r--r-- 1 root root 5 Aug 24 13:47 spamd.pid /home/spam_d/.spamassassin: total 1377 drwx------ 2 spam_d users 144 Aug 27 09:00 . drwxr-xr-x 3 spam_d users 112 Aug 24 13:47 .. -rw------- 1 spam_d users 196608 Aug 27 09:00 auto-whitelist -rw------- 1 spam_d users 163840 Aug 27 08:28 bayes_seen -rw------- 1 spam_d users 1261568 Aug 27 08:28 bayes_toks Is it normal for spamd.pid to be owned by root? I would have expected it to be owned by the user running spamd. # ps auwxxx | grep spamd root 8978 0.0 0.8 62620 2648 ? Ss Aug24 0:00 /usr/sbin/spamd -d -r /home/spam_d/spamd.pid -m 5 -P -u spam_d -H spam_d 8989 0.0 8.1 66816 26128 ? S Aug24 0:25 spamd child spam_d 9812 0.0 0.5 62620 1696 ? S Aug26 0:00 spamd child root 7084 0.0 0.1 2652 572 pts/2 S+ 09:05 0:00 grep spamd
I should have mentioned a reminder, that the above is all working with /.spamassassin as a symlink to /home/spam_d/.spamassassin . The errors I filed the bug over originaly return if I do not do this. It's just a temporary cheap hack so I can get it to run.
I'm currently employing the same hack - or else my exim install slows down terribly when it tries to create the directories (and fails) every time. I'm adding myself to the CC so I can keep track of this, if/when it gets fixed. Any news? :)
I set up a new server today, and I am still seeing exactly the same issues. I am forced to use the same hack as I did before. Any movement on this?
I added to my /etc/spamassassin/local.cf auto_whitelist_path /home/spamd/.spamassassin/auto-whitelist auto_whitelist_file_mode 0777 bayes_path /home/spamd/.spamassassin/bayes bayes_file_mode 0777 and changed my /etc/conf.d/spamd SPAMD_OPTS="-m 5 -H -u spamd" This combination seems to work... hth, #mb
Any movement on this? This one really bites folks in the rear.
(In reply to comment #15) > Any movement on this? This one really bites folks in the rear. > Can you confirm comment #14 works for you as well? If so, I can at leat update what goes in local.cf.example. Thanks!
Going through old tickets I came across this one. It's painfully obvious (now) that this is a simple matter of the value of $dir . "/.spammassassin" in the spamd code is not getting a proper value for $dir, and therefore leaving it as /.spamassassin. (duh). I'm looking at this with 3.1.8 - I've got the home directory working, and the procs are running as spam_d, but it seems like the bayes, etc., is still being updated in the individual home dirs (or not at all).
actually, this appears to be resolved upstream. Based on: -u username, --username=username Run as the named user. If this option is not set, the default be- haviour is to setuid() to the user running "spamc", if "spamd" is running as root. root 7621 1 0 07:19 ? 00:00:00 /usr/sbin/spamd -d -r /var/run/spamd.pid -m 5 -u spam_d -H /home/spam_d spam_d 7633 7621 0 07:19 ? 00:00:00 spamd child spam_d 7634 7621 0 07:19 ? 00:00:00 spamd child I'd say the -u is working as designed - spamd is running as spam_d. Creating something in ~spam_d is a different matter all together, and in reading this man entry I don't think the behaviour of setuiding to the uid of the person calling spamc is relevant (since this is more about what user launches spamd, not where it writes and as who).
Fixed upstream. 3.1.3 no longer in portage.