150997 – amavisd-new + SpamAssassin + MySQL backend secrets.cf permission oddity

Bug 150997 - amavisd-new + SpamAssassin + MySQL backend secrets.cf permission oddity

Summary: amavisd-new + SpamAssassin + MySQL backend secrets.cf permission oddity

Status:	RESOLVED CANTFIX

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	New packages (show other bugs)
Hardware:	All Linux

Importance:	High normal
Assignee:	Antivirus Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2006-10-12 04:37 UTC by Janne Pikkarainen
Modified:	2006-12-24 15:10 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Janne Pikkarainen 2006-10-12 04:37:40 UTC

Maybe I'm just losing my mind. Maybe not. Anyway I think I just found a very odd bug, or if it's a feature, it definitely should be documented somewhere more clearly.

The setup
---------
- amavisd-2.4.3
- SpamAssassin v3.1.6
- SpamAssassin uses MySQL for AWL/Bayes
- SA MySQL connection information is in /etc/mail/spamassassin/secrets.cf 

The situation
-------------
MySQL backend has been working fine all the time, AWL+Bayes information gets there. But as far as I understand, if you make SA to use MySQL as its backend, BerkeleyDB-based AWL/Bayes should became disabled.

Unfortunately, for me this is not the case in the default installation. What happens is that both backends, BDB and MySQL, will be used at the same time! At least BDB files gets bigger and bigger over time and they get updated all the time.

The fix
-------
What seems to be going on is that amavis user needs read access to /etc/mail/spamassassin/secrets.cf. I entered

---
chgrp amavis /etc/mail/spamassassin/secrets.cf
chmod 440 /etc/mail/spamassassin/secrets.cf
---

and restarted amavisd-new. MySQL backend continued to work, BDB activity stopped. Then I entered

---
chmod 400 /etc/mail/spamassassin/secrets.cf
---

and restarted amavisd-new again. MySQL backend continued to work and BDB activity started. Yet another

---
chmod 440 /etc/mail/spamassassin/secrets.cf
---

and after amavisd-new restart MySQL backend continued working, and BDB stopped.

This is odd.

Comment 1 Janne Pikkarainen 2006-10-12 04:43:19 UTC

Oh. Originally I changed from BDB to MySQL because of performance reasons. Performance has been ok ever since (for a year or so already), so I suspect BDB just gets used for writes and MySQL for both reads and writes. But this is only a feeling, not a verified fact. :-)

Comment 2 Jakub Moc (RETIRED) gentoo-dev

2006-10-12 04:45:35 UTC

The 0400 permissions are correct. And we no longer install secrets.cf, only secrets.cf.example with the above permissions that are proper for storing sensitive info that may be contained there.

Comment 3 Janne Pikkarainen 2006-10-12 04:54:07 UTC

Yes, my 440 fix should of course be considered as a temporary work-around. But I just wonder what is to blame here: amavisd-new? SpamAssassin? And how to make this work properly with 400 permissions...

Comment 4 Janne Pikkarainen 2006-10-12 05:38:04 UTC

Ok. I enabled MySQL query logging and I can see this is not my day.

With 0400 permissions MySQL backend actually stops working. Earlier I was just looking at MySQL process list and saw lots of spamassassin clients accessing it, but actually it was just amavisd-new querying its user policies, and not SpamAssassin.

Still the problem remains, even if it just changed its nature a bit. The problem is this:

* (At least with amavisd-new) SpamAssassin MySQL backend cannot be used with 0400 secrets.cf permissions.

Comment 5 Andrej Kacian (RETIRED) gentoo-dev

2006-12-24 15:10:52 UTC

Marking as CANTFIX, because I can't see anything we can do about it on packaging level. Try taking it up with upstream.

If I'm incorrect, feel free to reopen.