Ubuntu
spamassassin package

  1. Bug #1373560
  2. Comment #3

Comment 3 for bug 1373560

Revision history for this message
Roger Cornelius (rac-3) wrote : Re: [Bug 1373560] Re: /etc/cron.daily/spamassassin calls sa-update with potentially incorrect umask

I don't recall for sure, but I have 'UMASK 077' in /etc/login.defs and
believe the default is 022, so I probably have changed the default. I
also have 'USERGROUPS_ENAB yes', resulting in a mask of 007 for the
debian-spamd account.

In my opinion, amavis's ability to read the ruleset created by sa-update
should not rely on the default umask being in effect when sa-update was
run. I doubt it uncommon for a user to change that default. Instead,
set the umask explicitly before running sa-update so the rules are world
readable. If this is safe, i.e., not a security issue, it would not
hurt even if someone were to install spamassassin without installing
amavisd-new.

On 09/25/2014 12:04, Robie Basak wrote:
> Thank you for taking the time to report this bug and helping to make
> Ubuntu better.
>
> Is your umask 007 because you changed the system default? I'm asking to
> understand whether this will affect all spamassassin/sa-update/amavisd
> users by default, or if it only affects others who have changed their
> system umask.
>
> spamassassin is maintained in Debian, so to make progress on this bug
> somebody needs to verify if Debian is affected by this problem and if it
> is then to report a bug in the Debian bug tracking system if there isn't
> a bug there already.
>
> ** Tags added: needs-upstream-report
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1373560
>
> Title:
> /etc/cron.daily/spamassassin calls sa-update with potentially
> incorrect umask
>
> Status in ???spamassassin??? package in Ubuntu:
> New
>
> Bug description:
> ubuntu 14.04.1 LTS
> Packages:
> spamassassin (3.4.0-1ubuntu1)
> amavisd-new (1:2.7.1-2ubuntu3)
>
> This report has to do with a problem between the interaction of the
> spamassassin and amavisd-new packages, but the problem is with
> /etc/cron.daily/spamassassin.
>
> /etc/cron.daily/spamassassin executes the following line:
>
> su - debian-spamd -c "sa-update --gpghomedir /var/lib/spamassassin/sa-
> update-keys"
>
> Since su is invoked with the "-" option, sa-update executes with the
> default umask of user debian-spamd. In my case that is 007, causing
> the updated rules , i.e.
> /var/lib/spamassassin/3.004000/updates_spamassassin_org.cf and
> /var/lib/spamassassin/3.004000/updates_spamassassin_org/*, to be
> created with no read access for "other". When amavis is restarted, it
> is unable to read the spamassassin rules, and consequently
> spamassassin rule checks are not performed on received mail.
>
> It appears someone attempted to correct this by adding the line:
>
> umask 022
>
> immediately above the call to su mentioned above. This in ineffectual
> however due to su being called with "-". A fix is to change the above
> su call to this line:
>
> su - debian-spamd -c "umask 022; sa-update --gpghomedir
> /var/lib/spamassassin/sa-update-keys"
>
> A file with the output of 'ubuntu-bug --save=/tmp/sa-bug spamassassin'
> is attached.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/spamassassin/+bug/1373560/+subscriptions
>