Date: Tue, 20 Dec 2016 17:16:32 -0700 From: Adam Weinberger <adamw@adamw.org> To: RW <rwmaillists@googlemail.com>, Mike Brown <mike@skew.org> Cc: ports@freebsd.org, adamw@FreeBSD.org Subject: Re: mail/spamassassin config option AS_ROOT is confusing Message-ID: <29D71958-222C-4898-9B47-D71DDF72C9FC@adamw.org> In-Reply-To: <20161220235116.297d870f@gumby.homeunix.com> References: <20161220185343.GA12168@chilled.skew.org> <20161220235116.297d870f@gumby.homeunix.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 20 Dec, 2016, at 16:51, RW <rwmaillists@googlemail.com> wrote:
>=20
> On Tue, 20 Dec 2016 11:53:43 -0700
> Mike Brown wrote:
>=20
>> The AS_ROOT option in the mail/spamassassin port is really confusing
>> to me. Given that its description is "Run spamd as root
>> (recommended)", what actually happens is somewhat bonkers:
>>=20
>> The main spamd process always runs as root. If AS_ROOT is enabled,
>> then the child processes who do all the work will not run as root,
>> but rather as unprivileged user spamd. If AS_ROOT is disabled, then
>> the children *will* run as root, but as needed they will setuid to
>> the user calling spamc.=20
>> Which setting you want depends on where user prefs and Bayes data is
>> stored. If it's in user-owned ~/.spamassassin directories, then you
>> want AS_ROOT disabled or you'll get a plethora of error messages and
>> lock file warnings relating to permissions, since user spamd can't
>> write where it needs to.
>=20
> That shouldn't happen as the default (without virtual users) is to
> use /var/spool/spamd, the spamd user's home directory.
>=20
>> It took me a while to figure this out on a fresh installation. I
>> enabled the option, thinking "yes, of course I want it to run as
>> root, so that it can write to the users' home directories"... then I
>> was confused when it ended up not running as root but rather as user
>> spamd, and the behavior I wanted was only possible if I configured
>> the port to *not* run spamd as root.
>>=20
>> I guess I am just griping, but I would like to think there is a
>> better way to describe and name the configuration option. Maybe
>> AS_SPAMD_USER with description "Run spamd as unprivileged user
>> (recommended)"?=20
>=20
> I never noticed this because (probably like a lot of people) the first
> thing I did was set my own spamd_flags in rc.conf and that overrides
> the effect of AS_ROOT.=20
>=20
> I do agree it's confusing. I've CC'ed the maintainer.=20
Thanks for the Cc, RW. Mike, I completely agree that the wording is =
terrible.
I think your suggested text ("Run spamd as unprivileged user =
(recommended)") is great.
The ports system also has the ability to put more detail into a pkg-help =
file that shows up as something like "Press ^E for more info." It sounds =
like this would be useful here. It's been a while since I messed around =
with that option so would you be interested in writing a slightly more =
detailed explanation of the difference?
# Adam
--=20
Adam Weinberger
adamw@adamw.org
https://www.adamw.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?29D71958-222C-4898-9B47-D71DDF72C9FC>