I don't recall for sure, but I have 'UMASK 077' in /etc/login.defs and
believe the default is 022, so I probably have changed the default.  I
also have 'USERGROUPS_ENAB yes', resulting in a mask of 007 for the
debian-spamd account.

In my opinion, amavis's ability to read the ruleset created by sa-update
should not rely on the default umask being in effect when sa-update was
run.  I doubt it uncommon for a user to change that default.  Instead,
set the umask explicitly before running sa-update so the rules are world
readable.  If this is safe, i.e., not a security issue, it would not
hurt even if someone were to install spamassassin without installing
amavisd-new.

On 09/25/2014 12:04, Robie Basak wrote:
> Thank you for taking the time to report this bug and helping to make
> Ubuntu better.
> 
> Is your umask 007 because you changed the system default? I'm asking to
> understand whether this will affect all spamassassin/sa-update/amavisd
> users by default, or if it only affects others who have changed their
> system umask.
> 
> spamassassin is maintained in Debian, so to make progress on this bug
> somebody needs to verify if Debian is affected by this problem and if it
> is then to report a bug in the Debian bug tracking system if there isn't
> a bug there already.
> 
> ** Tags added: needs-upstream-report
> 
> -- 
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1373560
> 
> Title:
>   /etc/cron.daily/spamassassin calls sa-update with potentially
>   incorrect umask
> 
> Status in ???spamassassin??? package in Ubuntu:
>   New
> 
> Bug description:
>   ubuntu 14.04.1 LTS 
>   Packages:
>   spamassassin (3.4.0-1ubuntu1)
>   amavisd-new (1:2.7.1-2ubuntu3)
> 
>   This report has to do with a problem between the interaction of the
>   spamassassin and amavisd-new packages, but the problem is with
>   /etc/cron.daily/spamassassin.
> 
>   /etc/cron.daily/spamassassin executes the following line:
> 
>   su - debian-spamd -c "sa-update --gpghomedir /var/lib/spamassassin/sa-
>   update-keys"
> 
>   Since su is invoked with the "-" option, sa-update executes with the
>   default umask of user debian-spamd.  In my case that is 007, causing
>   the updated rules , i.e.
>   /var/lib/spamassassin/3.004000/updates_spamassassin_org.cf and
>   /var/lib/spamassassin/3.004000/updates_spamassassin_org/*, to be
>   created with no read access for "other".  When amavis is restarted, it
>   is unable to read the spamassassin rules, and consequently
>   spamassassin rule checks are not performed on received mail.
> 
>   It appears someone attempted to correct this by adding the line:
> 
>   umask 022
> 
>   immediately above the call to su mentioned above.  This in ineffectual
>   however due to su being called with "-".  A fix is to change the above
>   su call to this line:
> 
>   su - debian-spamd -c "umask 022; sa-update --gpghomedir
>   /var/lib/spamassassin/sa-update-keys"
> 
>   A file with the output of 'ubuntu-bug --save=/tmp/sa-bug spamassassin'
>   is attached.
> 
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/spamassassin/+bug/1373560/+subscriptions
>