From owner-freebsd-ports@freebsd.org  Wed Dec 21 00:16:38 2016
Return-Path: <owner-freebsd-ports@freebsd.org>
Delivered-To: freebsd-ports@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5BB36C8A956
 for <freebsd-ports@mailman.ysv.freebsd.org>;
 Wed, 21 Dec 2016 00:16:38 +0000 (UTC) (envelope-from adamw@adamw.org)
Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org
 [IPv6:2001:1900:2254:206a::50:5])
 by mx1.freebsd.org (Postfix) with ESMTP id 493D512B8
 for <freebsd-ports@freebsd.org>; Wed, 21 Dec 2016 00:16:38 +0000 (UTC)
 (envelope-from adamw@adamw.org)
Received: by mailman.ysv.freebsd.org (Postfix)
 id 45A60C8A955; Wed, 21 Dec 2016 00:16:38 +0000 (UTC)
Delivered-To: ports@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 438E2C8A954
 for <ports@mailman.ysv.freebsd.org>; Wed, 21 Dec 2016 00:16:38 +0000 (UTC)
 (envelope-from adamw@adamw.org)
Received: from anoxia.adamw.org (anoxia.adamw.org [104.225.8.149])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "anoxia.adamw.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id C301112B7;
 Wed, 21 Dec 2016 00:16:37 +0000 (UTC) (envelope-from adamw@adamw.org)
Received: by anoxia.adamw.org (OpenSMTPD) with ESMTPSA id 76b76d18
 TLS version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO;
 Tue, 20 Dec 2016 17:16:35 -0700 (MST)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Subject: Re: mail/spamassassin config option AS_ROOT is confusing
From: Adam Weinberger <adamw@adamw.org>
In-Reply-To: <20161220235116.297d870f@gumby.homeunix.com>
Date: Tue, 20 Dec 2016 17:16:32 -0700
Cc: ports@freebsd.org,
 adamw@FreeBSD.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <29D71958-222C-4898-9B47-D71DDF72C9FC@adamw.org>
References: <20161220185343.GA12168@chilled.skew.org>
 <20161220235116.297d870f@gumby.homeunix.com>
To: RW <rwmaillists@googlemail.com>,
 Mike Brown <mike@skew.org>
X-Mailer: Apple Mail (2.3259)
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Dec 2016 00:16:38 -0000

> On 20 Dec, 2016, at 16:51, RW <rwmaillists@googlemail.com> wrote:
>=20
> On Tue, 20 Dec 2016 11:53:43 -0700
> Mike Brown wrote:
>=20
>> The AS_ROOT option in the mail/spamassassin port is really confusing
>> to me. Given that its description is "Run spamd as root
>> (recommended)", what actually happens is somewhat bonkers:
>>=20
>> The main spamd process always runs as root. If AS_ROOT is enabled,
>> then the child processes who do all the work will not run as root,
>> but rather as unprivileged user spamd. If AS_ROOT is disabled, then
>> the children *will* run as root, but as needed they will setuid to
>> the user calling spamc.=20
>> Which setting you want depends on where user prefs and Bayes data is
>> stored. If it's in user-owned ~/.spamassassin directories, then you
>> want AS_ROOT disabled or you'll get a plethora of error messages and
>> lock file warnings relating to permissions, since user spamd can't
>> write where it needs to.
>=20
> That shouldn't happen as the default (without virtual users) is to
> use /var/spool/spamd, the spamd user's home directory.
>=20
>> It took me a while to figure this out on a fresh installation. I
>> enabled the option, thinking "yes, of course I want it to run as
>> root, so that it can write to the users' home directories"... then I
>> was confused when it ended up not running as root but rather as user
>> spamd, and the behavior I wanted was only possible if I configured
>> the port to *not* run spamd as root.
>>=20
>> I guess I am just griping, but I would like to think there is a
>> better way to describe and name the configuration option. Maybe
>> AS_SPAMD_USER with description "Run spamd as unprivileged user
>> (recommended)"?=20
>=20
> I never noticed this because (probably like a lot of people) the first
> thing I did was set my own spamd_flags in rc.conf and that overrides
> the effect of AS_ROOT.=20
>=20
> I do agree it's confusing. I've CC'ed the maintainer.=20

Thanks for the Cc, RW. Mike, I completely agree that the wording is =
terrible.

I think your suggested text ("Run spamd as unprivileged user =
(recommended)") is great.

The ports system also has the ability to put more detail into a pkg-help =
file that shows up as something like "Press ^E for more info." It sounds =
like this would be useful here. It's been a while since I messed around =
with that option so would you be interested in writing a slightly more =
detailed explanation of the difference?

# Adam


--=20
Adam Weinberger
adamw@adamw.org
https://www.adamw.org