I installed amavisd-new lately (emerge amavisd-new). I then configured it to work with exim4 (no problem), but when sending a few message all those messages got stuck in the amavis "queue" (/var/run/amavis/tmp in my configuration) and the error output in syslog was: Apr 17 00:43:44 [amavis] (10244-01) TROUBLE in check_mail: mime_decode-1 FAILED: MIME::Parser: can't open tmpfile: Invalid argument Apr 17 00:43:44 [amavis] (10244-01) PRESERVING EVIDENCE in /var/run/amavis/tmp/amavis-20040417T004344-10244 After fixing some settings in /etc/amavisd.conf and still having the same error messages I ran an "strace" on the process and it was clear why this error appeared: open("/tmp/PerlIO_gE1dLe", O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE, 0600) = -1 EACCES (Permission denied) I have tried playing around with many settings in /etc/amavisd.conf, but to no avail. Am I just missing out on some obvious settings? At the moment the only (insecure) workaround for me is to set the permissions on /tmp to 777. Reproducible: Always Steps to Reproduce: 1. Install amavisd-new 2. Configure exim v4 according to http://www.ijs.si/software/amavisd/README.exim_v4 3. Send an email to exim Actual Results: Email gets stuck in amavis "queue" Expected Results: Process the email normally Portage 2.0.50-r6 (default-x86-2004.0, gcc-3.3.2, glibc-2.3.2-r9, 2.6.5) ================================================================= System uname: 2.6.5 i686 Pentium III (Katmai) Gentoo Base System version 1.4.3.13 Autoconf: sys-devel/autoconf-2.58-r1 Automake: sys-devel/automake-1.8.3 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-O2 -march=pentium3 -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" COMPILER="gcc3" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=pentium3 -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs ccache sandbox" GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/ ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ rsync://linux.rz.ruhr-uni-bochum.de/gentoo/ http://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo rsync://ftp.join.uni-muenster.de/gentoo/ ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo http://mirror.switch.ch/ftp/mirror/gentoo/ ftp://mirror.switch.ch/mirror/gentoo/ ftp://ftp.solnet.ch/mirror/Gentoo http://www.mirror.ac.uk/sites/www.ibiblio.org/gentoo/" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="apm avi berkdb crypt cups encode foomaticdb gdbm gif gpm gtk2 imlib jpeg libg++ libwww mad mikmod mmx motif mpeg mysql ncurses nls oggvorbis pam pdflib perl png python quicktime readline sdl slang spell sse ssh ssl svga tcpd truetype x86 xml2 xmms xv zlib"
Is /tmp writable by all? (mode 1777)
The point I'm trying to make is that I've done a standard installation of gentoo and /tmp was not set to 777 before. I've now changed the mode of /tmp to 777 as a temporary workaround (see my first entry). I'm worried that setting /tmp to 777 is slightly insecure. Is it possible to tell perl where to put it's temporary files for a script? If so, one could then use the variable $TEMPBASE set in amavisd.conf as the temporary directory for all perl related tmp-files of amavisd. Only the user amavisd could then access those temporary files instead of letting any user on the system access the temporary files, because they're in /tmp with permissions 777.
not 777 ... 1777. the 1 is crucial for security as it sets the sticky bit.
I've now set the permissions to 1777. I didn't know about the "sticky bit", which is the answer to my security-related worries. Still there's this small question if 1777 is the default mode of the /tmp directory in a standard gentoo installation (as it didn't seem to be in my case).
yes 1777 is the default mode of /tmp you should have from your stage[123] tarball.