[gentoo-user] spamd and user nobody, sa-learn

[gentoo-user] spamd and user nobody, sa-learn

[meino.cramer]

Hi,

currently I am unsure, whether it is possible to update the
bayes-database of spamd/spamassassin as user mccramer while
spamd/spamassassin is running under user nobody:nobody AND
assign the database rw-rights for nobody:nobody only.

Nobody has neither the right to login nor a home directory.

I tried 
    
    sudo -u nobody sa-learn --spam --dbpath /etc/mail/nobody/.spamassassin/ --dir .

as user mccramer but it complains with:
"Sorry, user mccramer is not allowed to execute '/usr/bin/sa-learn --spam --dbpath /etc/mail/nobody/.spamassassin/ --dir .' as nobody:nobody on solfire."

/etc/sudoers is set to allow this for mccramer.

What is the trick to accomplish what is wanted here ?


Thank you very much in advance for any help!
Best regards,
mcc

Re: [gentoo-user] spamd and user nobody, sa-learn

[David W Noon]

[-- Attachment #1: Type: text/plain, Size: 1084 bytes --]

On Sat, 05 Mar 2011 10:40:01 +0100, meino.cramer@gmx.de wrote about
[gentoo-user] spamd and user nobody, sa-learn:

[snip]
>I tried 
>    
>    sudo -u nobody sa-learn --spam
> --dbpath /etc/mail/nobody/.spamassassin/ --dir .
>
>as user mccramer but it complains with:
>"Sorry, user mccramer is not allowed to execute '/usr/bin/sa-learn
>--spam --dbpath /etc/mail/nobody/.spamassassin/ --dir .' as
>nobody:nobody on solfire."
>
>/etc/sudoers is set to allow this for mccramer.
>
>What is the trick to accomplish what is wanted here ?

I need to specify the full path to the executable, /usr/bin/sa-learn,
when I use sudo to run it as amavis. [Note that I use Spamassassin as
part of Postfix via the amavisd-new daemon.  I also have my Bayes
tokens in a PostgreSQL database.  So my sa-learn command looks rather
different from yours anyway.]
-- 
Regards,

Dave  [RLU #314465]
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
dwnoon@ntlworld.com (David W Noon)
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] spamd and user nobody, sa-learn

[meino.cramer]

David W Noon <dwnoon@ntlworld.com> [11-03-05 15:43]:
> On Sat, 05 Mar 2011 10:40:01 +0100, meino.cramer@gmx.de wrote about
> [gentoo-user] spamd and user nobody, sa-learn:
> 
> [snip]
> >I tried 
> >    
> >    sudo -u nobody sa-learn --spam
> > --dbpath /etc/mail/nobody/.spamassassin/ --dir .
> >
> >as user mccramer but it complains with:
> >"Sorry, user mccramer is not allowed to execute '/usr/bin/sa-learn
> >--spam --dbpath /etc/mail/nobody/.spamassassin/ --dir .' as
> >nobody:nobody on solfire."
> >
> >/etc/sudoers is set to allow this for mccramer.
> >
> >What is the trick to accomplish what is wanted here ?
> 
> I need to specify the full path to the executable, /usr/bin/sa-learn,
> when I use sudo to run it as amavis. [Note that I use Spamassassin as
> part of Postfix via the amavisd-new daemon.  I also have my Bayes
> tokens in a PostgreSQL database.  So my sa-learn command looks rather
> different from yours anyway.]
> -- 
> Regards,
> 
> Dave  [RLU #314465]
> *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
> dwnoon@ntlworld.com (David W Noon)
> *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

Hi Dave,

no luck...the problem remains the same with or without the full
path...

How can I fix it?

Best regards
mcc

Re: [gentoo-user] spamd and user nobody, sa-learn

[David W Noon]

[-- Attachment #1: Type: text/plain, Size: 1591 bytes --]

On Sun, 06 Mar 2011 02:00:02 +0100, meino.cramer@gmx.de wrote about Re:
[gentoo-user] spamd and user nobody, sa-learn:

>David W Noon <dwnoon@ntlworld.com> [11-03-05 15:43]:
[snip]
>> I need to specify the full path to the executable, /usr/bin/sa-learn,
>> when I use sudo to run it as amavis. [Note that I use Spamassassin as
>> part of Postfix via the amavisd-new daemon.  I also have my Bayes
>> tokens in a PostgreSQL database.  So my sa-learn command looks rather
>> different from yours anyway.]
[snip]
>no luck...the problem remains the same with or without the full
>path...

Run visudo (as root) and check your sudo option.  The ones on my
system, applicable to this, are as follows:

Defaults        env_reset, always_set_home

Cmnd_Alias SPAMASSASSIN
= /usr/bin/sa-learn, /usr/bin/spamassassin, /usr/bin/spamc

%mail   ALL=(amavis) NOPASSWD: SPAMASSASSIN

[Note that the second one is on 1 line.  My newsreader has word-wrapped
it to 2 lines at its first punctuation mark.]

This allows anyone in the "mail" group to run any of the end-user
commands for Spamassassin as the "amavis" user, without requiring them
to supply a password -- or even that "amavis" have a password.

I usually export spam or ham into an mbox file and then run:

sudo -u amavis /usr/bin/sa-learn --ham --mbox /tmp/good_ham.mbx

and this works well.
-- 
Regards,

Dave  [RLU #314465]
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
dwnoon@ntlworld.com (David W Noon)
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] spamd and user nobody, sa-learn

[meino.cramer]

David W Noon <dwnoon@ntlworld.com> [11-03-06 18:16]:
> On Sun, 06 Mar 2011 02:00:02 +0100, meino.cramer@gmx.de wrote about Re:
> [gentoo-user] spamd and user nobody, sa-learn:
> 
> >David W Noon <dwnoon@ntlworld.com> [11-03-05 15:43]:
> [snip]
> >> I need to specify the full path to the executable, /usr/bin/sa-learn,
> >> when I use sudo to run it as amavis. [Note that I use Spamassassin as
> >> part of Postfix via the amavisd-new daemon.  I also have my Bayes
> >> tokens in a PostgreSQL database.  So my sa-learn command looks rather
> >> different from yours anyway.]
> [snip]
> >no luck...the problem remains the same with or without the full
> >path...
> 
> Run visudo (as root) and check your sudo option.  The ones on my
> system, applicable to this, are as follows:
> 
> Defaults        env_reset, always_set_home
> 
> Cmnd_Alias SPAMASSASSIN
> = /usr/bin/sa-learn, /usr/bin/spamassassin, /usr/bin/spamc
> 
> %mail   ALL=(amavis) NOPASSWD: SPAMASSASSIN
> 
> [Note that the second one is on 1 line.  My newsreader has word-wrapped
> it to 2 lines at its first punctuation mark.]
> 
> This allows anyone in the "mail" group to run any of the end-user
> commands for Spamassassin as the "amavis" user, without requiring them
> to supply a password -- or even that "amavis" have a password.
> 
> I usually export spam or ham into an mbox file and then run:
> 
> sudo -u amavis /usr/bin/sa-learn --ham --mbox /tmp/good_ham.mbx
> 
> and this works well.
> -- 
> Regards,
> 
> Dave  [RLU #314465]
> *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
> dwnoon@ntlworld.com (David W Noon)
> *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

Does your "amavis" user own a home directory?

Best regards
mcc

Re: [gentoo-user] spamd and user nobody, sa-learn

[David W Noon]

[-- Attachment #1: Type: text/plain, Size: 419 bytes --]

On Sun, 06 Mar 2011 19:00:02 +0100, meino.cramer@gmx.de wrote about Re:
[gentoo-user] spamd and user nobody, sa-learn:

>Does your "amavis" user own a home directory?

Yes.  It is /var/amavis.
-- 
Regards,

Dave  [RLU #314465]
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
dwnoon@ntlworld.com (David W Noon)
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]