Bug#623861: /etc/cron.daily/spamassassin running sa-update as root

Fri, 08 Jun 2012 17:42:13 -0700 

Package: spamassassin
Version: 3.3.1-1
Severity: normal

On Sat, 23 Apr 2011 12:35:58 -0700, Jameson Graef Rollins 
<jroll...@finestructure.net> wrote:
> The cron script (/etc/cron.daily/spamassassin) runs sa-update as root.
> However, sa-update pulls spamassassin rules from the net
> (updates.spamassassin.org by default).  It seems to me that running
> sa-update as root is a really BAD idea.  I do not want the root user
> on my system to be pulling data off of the net if it can be avoided.
> And it seems like it can in this case, since sa-update could be run by
> a non-priviledged user.

In addition to the above, that cron script also runs sa-compile as root,
which is a cause (but not the only one) of bugs #568880 and #504154.

> I think that /etc/cron.daily/spamassassin should either be modified to
> run sa-update as a non-priviledged user (presumably something like
> spamd).  Either that or the sa-update portion itself should be run
> under the non-priviledged user in /etc/cron.d/spamassassin.

The same should also be done for sa-compile. Can the whole script be run
as a different user?

Thanks,

Roger


-- System Information:
Debian Release: 6.0.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 
'stable'), (150, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages spamassassin depends on:
pn  libarchive-tar-perl    <none>            (no description available)
ii  libdigest-sha1-perl    2.13-1            NIST SHA-1 message digest algorith
ii  libhtml-parser-perl    3.66-1            collection of modules that parse H
ii  libnet-dns-perl        0.66-2            Perform DNS queries from a Perl sc
ii  libnetaddr-ip-perl     4.028+dfsg-1      IP address manipulation module
ii  libsocket6-perl        0.23-1            Perl extensions for IPv6
ii  libsys-hostname-long-p 1.4-2             Figure out the long (fully-qualifi
ii  libwww-perl            5.836-1           Perl HTTP/WWW client/server librar
ii  perl                   5.10.1-17squeeze3 Larry Wall's Practical Extraction 
ii  perl-modules [libio-zl 5.10.1-17squeeze3 Core Perl modules

Versions of packages spamassassin recommends:
ii  gcc                    4:4.4.5-1         The GNU C compiler
ii  gnupg                  1.4.10-4          GNU privacy guard - a free PGP rep
ii  libc6-dev              2.11.3-3          Embedded GNU C Library: Developmen
ii  libio-socket-inet6-per 2.65-1.1          Object interface for AF_INET6 doma
ii  libmail-spf-perl       2.007-1           Perl implementation of Sender Poli
ii  make                   3.81-8            An utility for Directing compilati
ii  perl [libsys-syslog-pe 5.10.1-17squeeze3 Larry Wall's Practical Extraction 
ii  re2c                   0.13.5-1          tool for generating fast C-based r
ii  spamc                  3.3.1-1           Client for SpamAssassin spam filte

Versions of packages spamassassin suggests:
pn  libdbi-perl            <none>            (no description available)
pn  libio-socket-ssl-perl  <none>            (no description available)
ii  libmail-dkim-perl      0.38-1            cryptographically identify the sen
pn  libnet-ident-perl      <none>            (no description available)
ii  perl [libcompress-zlib 5.10.1-17squeeze3 Larry Wall's Practical Extraction 
ii  pyzor                  1:0.5.0-2         spam-catcher using a collaborative
ii  razor                  1:2.85-3          spam-catcher using a collaborative

-- Configuration Files:
/etc/cron.daily/spamassassin changed:
CRON=0
test -f /etc/default/spamassassin && . /etc/default/spamassassin
test -x /usr/bin/sa-update || exit 0
test -x /etc/init.d/spamassassin || exit 0
if [ "$CRON" = "0" ] ; then
    exit 0
fi
die_with_lint() {
    spamassassin --lint -D 2>&1
    exit 1
}
do_compile() {
    if [ -x /usr/bin/re2c -a -x /usr/bin/sa-compile \
        -a -d /var/lib/spamassassin/compiled ]; then
        sa-compile --quiet
        # Fixup perms -- group and other should be able to
        # read and execute, but never write.  Works around
        # sa-compile's failure to obey umask.
        if [ -d /var/lib/spamassassin ]; then
            chmod -R go-w,go+rX /var/lib/spamassassin/
        fi
    fi
}
reload() {
    # Reload
    if which invoke-rc.d >/dev/null 2>&1; then
        invoke-rc.d spamassassin reload > /dev/null
    else
        /etc/init.d/spamassassin reload > /dev/null
    fi
    if [ -d /etc/spamassassin/sa-update-hooks.d ]; then
        run-parts --lsbsysinit /etc/spamassassin/sa-update-hooks.d
    fi
}
RANGE=3600
number=`od -vAn -N2 -tu4 < /dev/urandom`
number=`expr $number "%" $RANGE`
sleep $number
umask 022
sa-update
case $? in
    0)
        # got updates!
        su -s /bin/sh -c "spamassassin --lint" spamd || die_with_lint
        do_compile
        reload
        ;;
    1)
        # no updates
        #exit 0
        ;;
    2)
        # lint failed!
        die_with_lint
        ;;
    *)
        echo "sa-update failed for unknown reasons" 1>&2
        ;;
esac
su -s /bin/sh -c "sa-learn --force-expire" spamd

/etc/default/spamassassin changed:
ENABLED=1
OPTIONS="-u spamd --allow-tell"
PIDFILE="/var/run/spamd.pid"
CRON=1

/etc/spamassassin/local.cf changed:
time_limit 50
clear_report_template
report Host "_HOSTNAME_", requires _REQD_ points.
report _SUMMARY_
clear_unsafe_report_template
unsafe_report **UNSAFE SPAM**
unsafe_report Host "_HOSTNAME_", requires _REQD_ points.
unsafe_report _SUMMARY_
auto_whitelist_path /var/lib/spamd/auto-whitelist
auto_whitelist_factor 0.3
score BAYES_00  0  0 (-0.5) (-0.5)
score BAYES_05  0  0 (-0.5) (-0.5)
score BAYES_80  0  0  (0.5)  (0.5)
score BAYES_95  0  0  (0.5)  (1.0)
score BAYES_99  0  0  (1.0)  (2.0)
score MICROSOFT_EXECUTABLE    (1.0)
score MIME_SUSPECT_NAME       (0.5)
ok_locales en
ok_languages en
trusted_networks 192.168/16 90.155.73.34 194.217.242/24 193.178.223.136 
81.187.30.29
internal_networks 192.168/16 90.155.73.34
 lock_method flock
 required_score 0.0
bayes_path /var/lib/spamd/bayes/bayes
bayes_auto_learn_threshold_nonspam 2.0
bayes_auto_learn_threshold_spam 6.0
bayes_auto_expire 0
ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
endif # Mail::SpamAssassin::Plugin::Shortcircuit

/etc/spamassassin/v310.pre changed:
loadplugin Mail::SpamAssassin::Plugin::Pyzor
pyzor_timeout 10
loadplugin Mail::SpamAssassin::Plugin::Razor2
loadplugin Mail::SpamAssassin::Plugin::SpamCop
loadplugin Mail::SpamAssassin::Plugin::AntiVirus
loadplugin Mail::SpamAssassin::Plugin::AWL
loadplugin Mail::SpamAssassin::Plugin::AutoLearnThreshold
loadplugin Mail::SpamAssassin::Plugin::TextCat
loadplugin Mail::SpamAssassin::Plugin::WhiteListSubject
loadplugin Mail::SpamAssassin::Plugin::MIMEHeader
loadplugin Mail::SpamAssassin::Plugin::ReplaceTags

/etc/spamassassin/v320.pre changed:
loadplugin Mail::SpamAssassin::Plugin::Check
loadplugin Mail::SpamAssassin::Plugin::HTTPSMismatch
loadplugin Mail::SpamAssassin::Plugin::URIDetail
loadplugin Mail::SpamAssassin::Plugin::Bayes
loadplugin Mail::SpamAssassin::Plugin::BodyEval
loadplugin Mail::SpamAssassin::Plugin::DNSEval
loadplugin Mail::SpamAssassin::Plugin::HTMLEval
loadplugin Mail::SpamAssassin::Plugin::HeaderEval
loadplugin Mail::SpamAssassin::Plugin::MIMEEval
loadplugin Mail::SpamAssassin::Plugin::RelayEval
loadplugin Mail::SpamAssassin::Plugin::URIEval
loadplugin Mail::SpamAssassin::Plugin::WLBLEval
loadplugin Mail::SpamAssassin::Plugin::VBounce
 loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody
 loadplugin Mail::SpamAssassin::Plugin::ASN
loadplugin Mail::SpamAssassin::Plugin::ImageInfo


-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to