[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vps-mail] On the subject of permissions, mail & SA

Subject: Re: [vps-mail] On the subject of permissions, mail & SA
From: Scott Wiersdorf <scottw@xxxxxxxxxxxx>
Date: Mon, 5 Apr 2004 09:51:41 -0600

On Sun, Apr 04, 2004 at 06:26:12PM +0100, mell.net wrote:
> In the Bayes discussion, Scott noted that one should not have to open up
> permissions (ie chmod 777) .
> 
> I have spamd running with procmail and sendmail. The maillog below shows
> the result of an attempt to write to /var/log/procmail.log when
> permissions are as standard for procmail.log (ie. 600)
> 
> The only way I can get it to work just now is to chmod 666 procmail.log
> (606 might work, the point being it requires world permissions, I assume
> because it is running as userid?), but I don't like the 'world' being
> able to write. Any suggestions? (It has occurred to me I don't really
> understand the DROPPRIVS function - can the answer lie there somewhere?)

Yes; this is an open bug with the procmail vinstall--not your fault
(i.e., it's my fault).

The essence of the bug is that if you're going to do centralized
logging (e.g., /var/log/procmail.log), you shouldn't DROPPRIVS. Doing
what Abigail has done with spamc (adding "-u nobody" to the
command-line) will work around this; it will run spamc with lower
privileges while still letting you write to a centralized log file.

> >>>Apr  3 23:01:26 dommainame procmail[97076]: Error while writing to
> >>>"/var/log/procmail.log"

<snip>

> My /var/log dir has wide open permissions too - is this correct, surely
> not?
> drwxrwxrwx   2 root    wheel  1024 Apr  3 00:00 log
> 
> procmail.log looks like this currently:
> -rw-rw-rw-   1 root        wheel  14463 Apr  3 23:01 procmail.log

So, just remove the DROPPRIVS if you really need to maintain a
centralized log file. The side effect will be that spamc will not be
reading the individual user preferences. If you have to read
individual user preferences, keep the DROPPRIVS but remove the LOGFILE
lines that refer to root-owned (and only user writable) files (e.g.,
/var/log/procmail.log). If you want logging, replace them with
something like:

    LOGFILE=$HOME/.procmail.log

This can periodically be rotated from /etc/crontab:

    @daily    <user1>   /usr/local/bin/savelogs --period=7 --log=/.procmail.log
    @daily    <user2>   /usr/local/bin/savelogs --period=7 --log=/.procmail.log
    @daily    <user3>   /usr/local/bin/savelogs --period=7 --log=/.procmail.log

You can rotate as root more efficiently (i.e., just one /etc/crontab
entry):

    @daily    root      /usr/local/bin/savelogs --period=7 --log="/home/*/.procmail.log"

but it is not secure to do this unless your users don't have
ftp/cgi-bin access (even then, it's frowned upon but not likely to do
you harm for email-only users).

Scott
-- 
Scott Wiersdorf
scottw@xxxxxxxxxxxx
======================================================================
This is <vps-mail@xxxxxxxxxxxx>       <http://www.perlcode.org/lists/>
Before posting a question, please search the archives (see above URL).

Follow-Ups:
- Re[2]: [vps-mail] On the subject of permissions, mail & SA
  - From: Abigail Marshall
- Re[2]: [vps-mail] On the subject of permissions, mail & SA
  - From: Abigail Marshall

References:
- [vps-mail] On the subject of permissions, mail & SA
  - From: mell.net

Prev by Date: RE: [vps-mail] Editable .procmailrc or blacklist
Next by Date: Re[2]: [vps-mail] On the subject of permissions, mail & SA
Previous by thread: [vps-mail] On the subject of permissions, mail & SA
Next by thread: Re[2]: [vps-mail] On the subject of permissions, mail & SA
Index(es):
- Date
- Thread

Main Index | Thread Index