Bug#385760: [Pkg-dspam-misc] Bug#385760: The dspam daemon should be
run by user dspam
Matthijs Mohlmann
matthijs at cacholong.nl
Sun Oct 8 13:45:31 UTC 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Erik Johansson wrote:
> Package: dspam
> Version: 3.6.8-2~erik.1
> Severity: normal
>
> Hello,
>
> I maintain a sarge backport of dspam[1]. Today I received some suggestions
> from a user of the backport. Since I think the suggestions apply to the
> version in unstable as well, I'm forwarding the suggestions to you.
>
> My backported packages are identical to the version in unstable, except a
> change in build-dep: libmysqlclient15-dev => libmysqlclient14-dev
>
> I'm also considering trying to get dspam included on backports.org. If you
> have any objections to this, please let me know.
>
> Best regards
> // Erik
>
> [1] - deb http://eddie.ejohansson.se/debian/ sarge main
>
> == From Günther Mair ==
>
> [...] I experienced some trouble when running it straigth away with
> the dspam-webinterface for learning. Reason: the webinterface while
> running suexec'ed as "dspam" would not have access to update the log-
> files in "/var/spool/dspam/data/MYDOMAIN/MYUSERNAME"...
>
> They regularly become owned by the "root" user and write-back to them
> from the webinterfaces becomes impossible (if i don't change root's
> umask which I would prefer not to.... ;-) ).
>
> What I did and what I would like you to consider on this package is
> the following:
>
> - change the init-script to run the dspam daemon as dspam user
> instead of root (doesn't change anything anyway - just one process
> needlessly running as root less), while you still may execute the
> dspam-client apps as root (use the "--chuid" parameter for start-stop-
> daemon)
>
> - chown & chgrp the files beyond /var/spool/dspam to dspam user &
> dspam group
>
> - change the PID-File in your init-script and dspam-default
> configuration to reside inside the /var/run/dspam directory owned by
> dspam (so dspam user can write to it)
>
> - change the logfile to reside in an directory writeable by dspam
> (ie. /var/log/dspam/dspam.log)
>
> - the dspam_logrotate application should obviously be run as user dspam (or
> like this: [su - dspam "dspam_logrotate -a 90 -d /var/spool/dspam/data"]),
> otherwise the rotated logfiles may not be accessible to the dspam-daemon
> anymore - as actualy happened today with my installation ;-)
>
The dspam binary is setguid. This is done because of users can run the
dspam binary by hand to gather information about the status of their
spamfilter. So the files get owned by root:dspam. But it's always better
to have it run as user, one daemon less that runs as root.
Thanks.
Regards,
Matthijs Mohlmann
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFKQD72n1ROIkXqbARAg0UAJ9Kj8fiX8ybszXU6N7p+W/zfKVQ2gCgkgjW
gsZbRPz0wapolr4cbNIJKPw=
=GMum
-----END PGP SIGNATURE-----
More information about the Pkg-dspam-misc
mailing list