Ubuntu
spamassassin package

/etc/cron.daily/spamassassin calls sa-update with potentially incorrect umask

Bug #1373560 reported by Roger Cornelius
26
This bug affects 4 people
Affects Status Importance Assigned to Milestone
spamassassin (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

ubuntu 14.04.1 LTS
Packages:
spamassassin (3.4.0-1ubuntu1)
amavisd-new (1:2.7.1-2ubuntu3)

This report has to do with a problem between the interaction of the spamassassin and amavisd-new packages, but the problem is with /etc/cron.daily/spamassassin.

/etc/cron.daily/spamassassin executes the following line:

su - debian-spamd -c "sa-update --gpghomedir /var/lib/spamassassin/sa-update-keys"

Since su is invoked with the "-" option, sa-update executes with the default umask of user debian-spamd. In my case that is 007, causing the updated rules , i.e. /var/lib/spamassassin/3.004000/updates_spamassassin_org.cf and /var/lib/spamassassin/3.004000/updates_spamassassin_org/*, to be created with no read access for "other". When amavis is restarted, it is unable to read the spamassassin rules, and consequently spamassassin rule checks are not performed on received mail.

It appears someone attempted to correct this by adding the line:

umask 022

immediately above the call to su mentioned above. This in ineffectual however due to su being called with "-". A fix is to change the above su call to this line:

su - debian-spamd -c "umask 022; sa-update --gpghomedir /var/lib/spamassassin/sa-update-keys"

A file with the output of 'ubuntu-bug --save=/tmp/sa-bug spamassassin' is attached.

Revision history for this message
Roger Cornelius (rac-3) wrote :
Revision history for this message
Robie Basak (racb) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

Is your umask 007 because you changed the system default? I'm asking to understand whether this will affect all spamassassin/sa-update/amavisd users by default, or if it only affects others who have changed their system umask.

spamassassin is maintained in Debian, so to make progress on this bug somebody needs to verify if Debian is affected by this problem and if it is then to report a bug in the Debian bug tracking system if there isn't a bug there already.

tags: added: needs-upstream-report
Revision history for this message
Roger Cornelius (rac-3) wrote : Re: [Bug 1373560] Re: /etc/cron.daily/spamassassin calls sa-update with potentially incorrect umask
Download full text (3.1 KiB)

I don't recall for sure, but I have 'UMASK 077' in /etc/login.defs and
believe the default is 022, so I probably have changed the default. I
also have 'USERGROUPS_ENAB yes', resulting in a mask of 007 for the
debian-spamd account.

In my opinion, amavis's ability to read the ruleset created by sa-update
should not rely on the default umask being in effect when sa-update was
run. I doubt it uncommon for a user to change that default. Instead,
set the umask explicitly before running sa-update so the rules are world
readable. If this is safe, i.e., not a security issue, it would not
hurt even if someone were to install spamassassin without installing
amavisd-new.

On 09/25/2014 12:04, Robie Basak wrote:
> Thank you for taking the time to report this bug and helping to make
> Ubuntu better.
>
> Is your umask 007 because you changed the system default? I'm asking to
> understand whether this will affect all spamassassin/sa-update/amavisd
> users by default, or if it only affects others who have changed their
> system umask.
>
> spamassassin is maintained in Debian, so to make progress on this bug
> somebody needs to verify if Debian is affected by this problem and if it
> is then to report a bug in the Debian bug tracking system if there isn't
> a bug there already.
>
> ** Tags added: needs-upstream-report
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1373560
>
> Title:
> /etc/cron.daily/spamassassin calls sa-update with potentially
> incorrect umask
>
> Status in ???spamassassin??? package in Ubuntu:
> New
>
> Bug description:
> ubuntu 14.04.1 LTS
> Packages:
> spamassassin (3.4.0-1ubuntu1)
> amavisd-new (1:2.7.1-2ubuntu3)
>
> This report has to do with a problem between the interaction of the
> spamassassin and amavisd-new packages, but the problem is with
> /etc/cron.daily/spamassassin.
>
> /etc/cron.daily/spamassassin executes the following line:
>
> su - debian-spamd -c "sa-update --gpghomedir /var/lib/spamassassin/sa-
> update-keys"
>
> Since su is invoked with the "-" option, sa-update executes with the
> default umask of user debian-spamd. In my case that is 007, causing
> the updated rules , i.e.
> /var/lib/spamassassin/3.004000/updates_spamassassin_org.cf and
> /var/lib/spamassassin/3.004000/updates_spamassassin_org/*, to be
> created with no read access for "other". When amavis is restarted, it
> is unable to read the spamassassin rules, and consequently
> spamassassin rule checks are not performed on received mail.
>
> It appears someone attempted to correct this by adding the line:
>
> umask 022
>
> immediately above the call to su mentioned above. This in ineffectual
> however due to su being called with "-". A fix is to change the above
> su call to this line:
>
> su - debian-spamd -c "umask 022; sa-update --gpghomedir
> /var/lib/spamassassin/sa-update-keys"
>
> A file with the output of 'ubuntu-bug --save=/tmp/sa-bug spamassassin'
> is attached.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/spamassassin/+bug/1373560/+sub...

Read more...

Revision history for this message
Robie Basak (racb) wrote :

> In my opinion, amavis's ability to read the ruleset created by sa-update
should not rely on the default umask being in effect when sa-update was
run.

Agreed. I just wanted to understand the proportion of users who might be affected.

This needs to be investigated in Debian.

Changed in spamassassin (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Roger Cornelius (rac-3) wrote :

On 09/26/2014 08:21, Robie Basak wrote:
> > In my opinion, amavis's ability to read the ruleset created by sa-update
> should not rely on the default umask being in effect when sa-update was
> run.
>
> Agreed. I just wanted to understand the proportion of users who might be
> affected.
>
> This needs to be investigated in Debian.

Thank you. I don't know if it's relevant, but this problem was not
present on 12.04LTS and only appeared after I upgraded to 14.04LTS.

If I can do anything else to help, let me know.

Roger

>
> ** Changed in: spamassassin (Ubuntu)
> Importance: Undecided => Medium
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1373560
>
> Title:
> /etc/cron.daily/spamassassin calls sa-update with potentially
> incorrect umask
>
> Status in ???spamassassin??? package in Ubuntu:
> New
>
> Bug description:
> ubuntu 14.04.1 LTS
> Packages:
> spamassassin (3.4.0-1ubuntu1)
> amavisd-new (1:2.7.1-2ubuntu3)
>
> This report has to do with a problem between the interaction of the
> spamassassin and amavisd-new packages, but the problem is with
> /etc/cron.daily/spamassassin.
>
> /etc/cron.daily/spamassassin executes the following line:
>
> su - debian-spamd -c "sa-update --gpghomedir /var/lib/spamassassin/sa-
> update-keys"
>
> Since su is invoked with the "-" option, sa-update executes with the
> default umask of user debian-spamd. In my case that is 007, causing
> the updated rules , i.e.
> /var/lib/spamassassin/3.004000/updates_spamassassin_org.cf and
> /var/lib/spamassassin/3.004000/updates_spamassassin_org/*, to be
> created with no read access for "other". When amavis is restarted, it
> is unable to read the spamassassin rules, and consequently
> spamassassin rule checks are not performed on received mail.
>
> It appears someone attempted to correct this by adding the line:
>
> umask 022
>
> immediately above the call to su mentioned above. This in ineffectual
> however due to su being called with "-". A fix is to change the above
> su call to this line:
>
> su - debian-spamd -c "umask 022; sa-update --gpghomedir
> /var/lib/spamassassin/sa-update-keys"
>
> A file with the output of 'ubuntu-bug --save=/tmp/sa-bug spamassassin'
> is attached.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/spamassassin/+bug/1373560/+subscriptions
>

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in spamassassin (Ubuntu):
status: New → Confirmed
Revision history for this message
Nikolai Kristiansen (nikolaik) wrote :

I'm hitting this on mailservers which runs with system wide umask of 007, set in /etc/profile.

After /etc/cron.daily/spamassassin has run, and the first email is processed, amavis will shut down, since it cant' read /var/lib/spamassassin/3.004000/updates_spamassassin_org.cf resulting in an uppile in postfix's defferred queue.

Revision history for this message
Rasmus Borup Hansen (rbh-a) wrote :

I ran into this bug as well and checked if it's also present in Debian. It appears that from spamassassin 3.4.0-2 the relevant code is:

# Update
umask 022
env -i LANG="$LANG" PATH="$PATH" start-stop-daemon \
    --chuid debian-spamd:debian-spamd --start \
    --exec /usr/bin/sa-update -- \
    --gpghomedir /var/lib/spamassassin/sa-update-keys 2>&1

When using start-stop-daemon to invoke sa-update the umask is not changed, so updating to this version will fix the bug.

Revision history for this message
Bryce Harrington (bryce) wrote :

Xenial is carrying version 3.4.2-0ubuntu0.16.04.2, so I think per the last comment we can assume this issue is now resolved.

Changed in spamassassin (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.