[Dovecot] dovecot-antispam and permissions

[Tom Hendrikx]

Tom Hendrikx wrote:
> hi list,
> 
> I'm having trouble with a new setup. My server is running postfix
> (2.5.5), dovecot (1.1.7), dspam (3.8.0). These all seems to work with
> eachother. When I add dovecot-antispam in the mix, the following problem
> occurs:
> 
> New mail arrives, postfix hands the mail to dspam using a
> content_filter, and dspam clasifies the mail, running as the dspam user.
> Dspam writes its data away in a sqlite database. Mail then gets
> reinjected into postfix and delivered to the system user by deliver.
> 
> When I manually classify a mail using dovecot-antispam, dovecot runs
> dspam classification as the system user. This gives the error "failed to
> call dspam" in my client, and the message "dspam[20203]: query error:
> attempt to write a readonly database: see sql.errors for more details".
> 
> Since the mentioned sql.errors is owned by the system user and not by
> the "dspam" user, it seems that the re-classification proces is run as
> that user, so he has no write access to the sqlite db, which is owned by
> dspam:dspam. I could fix this by manually changing group ownership to
> the database, but maybe there is a more generic way to solve this?
> 

To answer my own question: I think i have it working by adding to
dovecot.conf:

antispam_dspam_binary = /usr/local/bin/dspam-wrapper

Contents of the wrapper:

#!/bin/sh
/usr/bin/sudo -u dspam /usr/bin/dspam $@

Finally, adding to /etc/sudoers:

%mail ALL=(dspam) NOPASSWD: /usr/bin/dspam

Since the actual users have no shell access to the mail server itself, I
see no direct security implications here. But maybe there is some more
elegant way?

-- 
Regards,
	Tom

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://dovecot.org/pipermail/dovecot/attachments/20090614/25ed88e7/attachment.bin