/etc/cron.daily/spamassassin calls sa-update with potentially incorrect umask

Bug #1373560 reported by Roger Cornelius on 2014-09-24
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
spamassassin (Ubuntu)
Medium
Unassigned

Bug Description

ubuntu 14.04.1 LTS
Packages:
spamassassin (3.4.0-1ubuntu1)
amavisd-new (1:2.7.1-2ubuntu3)

This report has to do with a problem between the interaction of the spamassassin and amavisd-new packages, but the problem is with /etc/cron.daily/spamassassin.

/etc/cron.daily/spamassassin executes the following line:

su - debian-spamd -c "sa-update --gpghomedir /var/lib/spamassassin/sa-update-keys"

Since su is invoked with the "-" option, sa-update executes with the default umask of user debian-spamd. In my case that is 007, causing the updated rules , i.e. /var/lib/spamassassin/3.004000/updates_spamassassin_org.cf and /var/lib/spamassassin/3.004000/updates_spamassassin_org/*, to be created with no read access for "other". When amavis is restarted, it is unable to read the spamassassin rules, and consequently spamassassin rule checks are not performed on received mail.

It appears someone attempted to correct this by adding the line:

umask 022

immediately above the call to su mentioned above. This in ineffectual however due to su being called with "-". A fix is to change the above su call to this line:

su - debian-spamd -c "umask 022; sa-update --gpghomedir /var/lib/spamassassin/sa-update-keys"

A file with the output of 'ubuntu-bug --save=/tmp/sa-bug spamassassin' is attached.

Roger Cornelius (rac-3) wrote :
Robie Basak (racb) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

Is your umask 007 because you changed the system default? I'm asking to understand whether this will affect all spamassassin/sa-update/amavisd users by default, or if it only affects others who have changed their system umask.

spamassassin is maintained in Debian, so to make progress on this bug somebody needs to verify if Debian is affected by this problem and if it is then to report a bug in the Debian bug tracking system if there isn't a bug there already.

tags: added: needs-upstream-report
Download full text (3.1 KiB)

I don't recall for sure, but I have 'UMASK 077' in /etc/login.defs and
believe the default is 022, so I probably have changed the default. I
also have 'USERGROUPS_ENAB yes', resulting in a mask of 007 for the
debian-spamd account.

In my opinion, amavis's ability to read the ruleset created by sa-update
should not rely on the default umask being in effect when sa-update was
run. I doubt it uncommon for a user to change that default. Instead,
set the umask explicitly before running sa-update so the rules are world
readable. If this is safe, i.e., not a security issue, it would not
hurt even if someone were to install spamassassin without installing
amavisd-new.

On 09/25/2014 12:04, Robie Basak wrote:
> Thank you for taking the time to report this bug and helping to make
> Ubuntu better.
>
> Is your umask 007 because you changed the system default? I'm asking to
> understand whether this will affect all spamassassin/sa-update/amavisd
> users by default, or if it only affects others who have changed their
> system umask.
>
> spamassassin is maintained in Debian, so to make progress on this bug
> somebody needs to verify if Debian is affected by this problem and if it
> is then to report a bug in the Debian bug tracking system if there isn't
> a bug there already.
>
> ** Tags added: needs-upstream-report
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1373560
>
> Title:
> /etc/cron.daily/spamassassin calls sa-update with potentially
> incorrect umask
>
> Status in ???spamassassin??? package in Ubuntu:
> New
>
> Bug description:
> ubuntu 14.04.1 LTS
> Packages:
> spamassassin (3.4.0-1ubuntu1)
> amavisd-new (1:2.7.1-2ubuntu3)
>
> This report has to do with a problem between the interaction of the
> spamassassin and amavisd-new packages, but the problem is with
> /etc/cron.daily/spamassassin.
>
> /etc/cron.daily/spamassassin executes the following line:
>
> su - debian-spamd -c "sa-update --gpghomedir /var/lib/spamassassin/sa-
> update-keys"
>
> Since su is invoked with the "-" option, sa-update executes with the
> default umask of user debian-spamd. In my case that is 007, causing
> the updated rules , i.e.
> /var/lib/spamassassin/3.004000/updates_spamassassin_org.cf and
> /var/lib/spamassassin/3.004000/updates_spamassassin_org/*, to be
> created with no read access for "other". When amavis is restarted, it
> is unable to read the spamassassin rules, and consequently
> spamassassin rule checks are not performed on received mail.
>
> It appears someone attempted to correct this by adding the line:
>
> umask 022
>
> immediately above the call to su mentioned above. This in ineffectual
> however due to su being called with "-". A fix is to change the above
> su call to this line:
>
> su - debian-spamd -c "umask 022; sa-update --gpghomedir
> /var/lib/spamassassin/sa-update-keys"
>
> A file with the output of 'ubuntu-bug --save=/tmp/sa-bug spamassassin'
> is attached.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/spamassassin/+bug/1373560/+sub...

Read more...

Robie Basak (racb) wrote :

> In my opinion, amavis's ability to read the ruleset created by sa-update
should not rely on the default umask being in effect when sa-update was
run.

Agreed. I just wanted to understand the proportion of users who might be affected.

This needs to be investigated in Debian.

Changed in spamassassin (Ubuntu):
importance: Undecided → Medium
Roger Cornelius (rac-3) wrote :

On 09/26/2014 08:21, Robie Basak wrote:
> > In my opinion, amavis's ability to read the ruleset created by sa-update
> should not rely on the default umask being in effect when sa-update was
> run.
>
> Agreed. I just wanted to understand the proportion of users who might be
> affected.
>
> This needs to be investigated in Debian.

Thank you. I don't know if it's relevant, but this problem was not
present on 12.04LTS and only appeared after I upgraded to 14.04LTS.

If I can do anything else to help, let me know.

Roger

>
> ** Changed in: spamassassin (Ubuntu)
> Importance: Undecided => Medium
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1373560
>
> Title:
> /etc/cron.daily/spamassassin calls sa-update with potentially
> incorrect umask
>
> Status in ???spamassassin??? package in Ubuntu:
> New
>
> Bug description:
> ubuntu 14.04.1 LTS
> Packages:
> spamassassin (3.4.0-1ubuntu1)
> amavisd-new (1:2.7.1-2ubuntu3)
>
> This report has to do with a problem between the interaction of the
> spamassassin and amavisd-new packages, but the problem is with
> /etc/cron.daily/spamassassin.
>
> /etc/cron.daily/spamassassin executes the following line:
>
> su - debian-spamd -c "sa-update --gpghomedir /var/lib/spamassassin/sa-
> update-keys"
>
> Since su is invoked with the "-" option, sa-update executes with the
> default umask of user debian-spamd. In my case that is 007, causing
> the updated rules , i.e.
> /var/lib/spamassassin/3.004000/updates_spamassassin_org.cf and
> /var/lib/spamassassin/3.004000/updates_spamassassin_org/*, to be
> created with no read access for "other". When amavis is restarted, it
> is unable to read the spamassassin rules, and consequently
> spamassassin rule checks are not performed on received mail.
>
> It appears someone attempted to correct this by adding the line:
>
> umask 022
>
> immediately above the call to su mentioned above. This in ineffectual
> however due to su being called with "-". A fix is to change the above
> su call to this line:
>
> su - debian-spamd -c "umask 022; sa-update --gpghomedir
> /var/lib/spamassassin/sa-update-keys"
>
> A file with the output of 'ubuntu-bug --save=/tmp/sa-bug spamassassin'
> is attached.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/spamassassin/+bug/1373560/+subscriptions
>

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in spamassassin (Ubuntu):
status: New → Confirmed
Nikolai Kristiansen (nikolaik) wrote :

I'm hitting this on mailservers which runs with system wide umask of 007, set in /etc/profile.

After /etc/cron.daily/spamassassin has run, and the first email is processed, amavis will shut down, since it cant' read /var/lib/spamassassin/3.004000/updates_spamassassin_org.cf resulting in an uppile in postfix's defferred queue.

Rasmus Borup Hansen (rbh-a) wrote :

I ran into this bug as well and checked if it's also present in Debian. It appears that from spamassassin 3.4.0-2 the relevant code is:

# Update
umask 022
env -i LANG="$LANG" PATH="$PATH" start-stop-daemon \
    --chuid debian-spamd:debian-spamd --start \
    --exec /usr/bin/sa-update -- \
    --gpghomedir /var/lib/spamassassin/sa-update-keys 2>&1

When using start-stop-daemon to invoke sa-update the umask is not changed, so updating to this version will fix the bug.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers