From owner-freebsd-ports-bugs@FreeBSD.ORG Fri Mar 11 14:30:05 2005 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F1AE116A4D0 for ; Fri, 11 Mar 2005 14:30:04 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 84E0243D58 for ; Fri, 11 Mar 2005 14:30:04 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j2BEU4ko082712 for ; Fri, 11 Mar 2005 14:30:04 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j2BEU3iF082681; Fri, 11 Mar 2005 14:30:04 GMT (envelope-from gnats) Resent-Date: Fri, 11 Mar 2005 14:30:04 GMT Resent-Message-Id: <200503111430.j2BEU3iF082681@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Jeremy Chadwick Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9BB8C16A4D4 for ; Fri, 11 Mar 2005 14:28:54 +0000 (GMT) Received: from mx1.parodius.com (mx1.parodius.com [64.62.145.229]) by mx1.FreeBSD.org (Postfix) with ESMTP id DE52143D5A for ; Fri, 11 Mar 2005 14:28:50 +0000 (GMT) (envelope-from jdc@pentarou.parodius.com) Received: from pentarou.parodius.com (localhost [127.0.0.1]) by mx1.parodius.com (8.13.1/8.13.1) with ESMTP id j2BESWIU013158 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 11 Mar 2005 06:28:32 -0800 (PST) (envelope-from jdc@pentarou.parodius.com) Received: (from jdc@localhost) by pentarou.parodius.com (8.13.1/8.13.1/Submit) id j2BESWkf013157; Fri, 11 Mar 2005 06:28:32 -0800 (PST) (envelope-from jdc) Message-Id: <200503111428.j2BESWkf013157@pentarou.parodius.com> Date: Fri, 11 Mar 2005 06:28:32 -0800 (PST) From: Jeremy Chadwick To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: ports/78700: sa-spamd script does not play well with spamd "-u" flag X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Jeremy Chadwick List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Mar 2005 14:30:05 -0000 >Number: 78700 >Category: ports >Synopsis: sa-spamd script does not play well with spamd "-u" flag >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Mar 11 14:30:03 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Jeremy Chadwick >Release: FreeBSD 4.11-STABLE i386 >Organization: Parodius Networking >Environment: System: FreeBSD pentarou.parodius.com 4.11-STABLE FreeBSD 4.11-STABLE #0: Sat Feb 5 08:39:49 PST 2005 root@pentarou.parodius.com:/usr/obj/usr/src/sys/PENTAROU i386 >Description: The sa-spamd.sh rc(8) script is not friendly with situations where spamd needs to run as a non-root user. If you start spamd in such environments, you'll receive a warning that spamd is switching credentials to a non-root user (default nobody). Example: Mar 11 06:15:01 medusa spamd[56571]: connection from localhost [127.0.0.1] at port 55031 Mar 11 06:15:01 medusa spamd[56571]: info: setuid to root succeeded Mar 11 06:15:01 medusa spamd[56571]: Still running as root: user not specified with -u, not found, or set to root. Fall back to nobody. Mar 11 06:15:01 medusa spamd[56571]: processing message <200503111415.j2BEF1Ah056662@medusa.parodius.com> for root:65534. As the warning in the log is generated __once per Email__, heavily loaded machines generate excessive syslog traffic. This can be avoided by setting spamd_flags to contain "-u nobody". This works great, except that it induces a new problem relating to the ownership of the PID file: Mar 11 06:00:30 medusa spamd[55988]: Can't write to PID file: Permission denied If things were simple, an admin could just do the following: touch /var/run/spamd.pid chown nobody:nobody /var/run/spamd.pid ...except that the sa-spamd.sh rc(8) script deliberately removes the pidfile when shutting down spamd. I have no idea how spamd handles signals, so one should test that to see how the pidfile is maintained in such situations (i.e. SIGTERM, SIGUSR1, etc.). >How-To-Repeat: 1. Shut down spamd 2. Set spamd_flags in rc.conf to contain "-u nobody" 3. Start spamd 4. Send someone mail to an account which gets processed by spamd 5. Look at /var/log/maillog; you will find a message along these lines: >Fix: There's a couple solutions available. Pick and choose whichever: 1. Don't remove the pidfile, period. I can't recommend this since I know of situations where spamd will not remove the pidfile when dying, etc. etc... So I believe the rm -f on the pidfile to be a good thing. 2. Grep through the spamd_flags rc.conf variable to see if -u is specified; if it is, touch and chown spamd_pidfile before the actual spamd process starts. This is excessive, in lieu of option 3... 3. Create a new "spamd_user" rc flag, and add appropriate framework for supporting this inside of sa-spamd.sh. This would be the best solution. >Release-Note: >Audit-Trail: >Unformatted: