I don't recall for sure, but I have 'UMASK 077' in /etc/login.defs and believe the default is 022, so I probably have changed the default. I also have 'USERGROUPS_ENAB yes', resulting in a mask of 007 for the debian-spamd account. In my opinion, amavis's ability to read the ruleset created by sa-update should not rely on the default umask being in effect when sa-update was run. I doubt it uncommon for a user to change that default. Instead, set the umask explicitly before running sa-update so the rules are world readable. If this is safe, i.e., not a security issue, it would not hurt even if someone were to install spamassassin without installing amavisd-new. On 09/25/2014 12:04, Robie Basak wrote: > Thank you for taking the time to report this bug and helping to make > Ubuntu better. > > Is your umask 007 because you changed the system default? I'm asking to > understand whether this will affect all spamassassin/sa-update/amavisd > users by default, or if it only affects others who have changed their > system umask. > > spamassassin is maintained in Debian, so to make progress on this bug > somebody needs to verify if Debian is affected by this problem and if it > is then to report a bug in the Debian bug tracking system if there isn't > a bug there already. > > ** Tags added: needs-upstream-report > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/1373560 > > Title: > /etc/cron.daily/spamassassin calls sa-update with potentially > incorrect umask > > Status in ???spamassassin??? package in Ubuntu: > New > > Bug description: > ubuntu 14.04.1 LTS > Packages: > spamassassin (3.4.0-1ubuntu1) > amavisd-new (1:2.7.1-2ubuntu3) > > This report has to do with a problem between the interaction of the > spamassassin and amavisd-new packages, but the problem is with > /etc/cron.daily/spamassassin. > > /etc/cron.daily/spamassassin executes the following line: > > su - debian-spamd -c "sa-update --gpghomedir /var/lib/spamassassin/sa- > update-keys" > > Since su is invoked with the "-" option, sa-update executes with the > default umask of user debian-spamd. In my case that is 007, causing > the updated rules , i.e. > /var/lib/spamassassin/3.004000/updates_spamassassin_org.cf and > /var/lib/spamassassin/3.004000/updates_spamassassin_org/*, to be > created with no read access for "other". When amavis is restarted, it > is unable to read the spamassassin rules, and consequently > spamassassin rule checks are not performed on received mail. > > It appears someone attempted to correct this by adding the line: > > umask 022 > > immediately above the call to su mentioned above. This in ineffectual > however due to su being called with "-". A fix is to change the above > su call to this line: > > su - debian-spamd -c "umask 022; sa-update --gpghomedir > /var/lib/spamassassin/sa-update-keys" > > A file with the output of 'ubuntu-bug --save=/tmp/sa-bug spamassassin' > is attached. > > To manage notifications about this bug go to: > https://bugs.launchpad.net/ubuntu/+source/spamassassin/+bug/1373560/+subscriptions >